py37-certbot question
Dale Scott
dalescott at shaw.ca
Sat Sep 12 18:58:47 UTC 2020
Keep in mind there are several use cases for LetsEncrypt. When I used LetsEncrypt to create a certificate I used the port 80 authentication method and had to shutdown apache during the procedure (restarting afterwards). Using certbot to renew the certificate is a different process and does not require shutting down services using port 80.
----- Original Message -----
> From: "Valeri Galtsev" <galtsev at kicp.uchicago.edu>
> To: "Kevin P. Neal" <kpn at neutralgood.org>
> Cc: "freebsd-questions" <freebsd-questions at freebsd.org>
> Sent: Saturday, September 12, 2020 10:17:06 AM
> Subject: Re: py37-certbot question
>> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal <kpn at neutralgood.org> wrote:
>>
>> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote:
>>> On by fbsd system I manually renew. My notes from 2019 say it is necessary
>>> to stop the server before renewing because certbot starts its own temporary
>>> one to do the upgrade. So I do the sequence:
>>> service apache24 stop
>>> certbot renew
>>> service apache24 start
>>>
>>> It may be the py37 version stops and restarts the server; I haven't tried it
>>> without stopping the server so I don't know.
>>
>>> If it has been running weekly as a cron job, it should have been renewed
>>> about three weeks ago. It should renew on the first attempt that is less
>>> than 30 days until expiration. So it sounds like it is attempting to
>>> renew but failing. It may be that if the server isn't stopped it won't
>>> renew because it can't acquire the necessary port.
>>
>> Wait, that doesn't sound right. I never, ever stop services to run certbot
>> renew. Ever. I have it so that it reaches into the DocumentRoot(s) of the
>> relevant virtual server(s) for the verification step. Then I copy the new
>> certs to the relevant locations and bounce servers at that point. But a
>> service outage is not required.
>>
>> I even have my http servers redirect all traffic to the https server EXCEPT
>> for the certbot traffic. It's another example of mod_rewrite being one of
>> the most powerful tools around IMHO.
>>
>> [kpn at gunsight1 ~]$ pkg info | grep certbot
>> py37-certbot-1.7.0,1 Let's Encrypt client
>> [kpn at gunsight1 ~]$
>>
>
> Thank you, Gary and Kevin. I just had yet another cron.weekly happen this
> morning, and the cert was not renewed. So, I run certbot renew manually, and
> restarted apache. My trouble is in the way I configured renewal cron job
> following somebody’s HOWTO, I will switch back to just a cron job with
> appropriate explicit “certbot renew …” command after I check that python3 based
> certbot does have --post-hook to restart apache in the event of successful cert
> renewal.
>
> I’m sure Kevin is right: web server must be running when certbot attempts to
> renew cert. It is necessary, as LetsEncrypt verifies that whatever requests
> cert is capable of writing challenge sent to it into we directory.
>
> Thanks again, everybody!
>
> Valeri
>
>> --
>> Kevin P. Neal http://www.pobox.com/~kpn/
>>
>> "What is mathematics? The age-old answer is, of course, that mathematics
>> is what mathematicians do." - Donald Knuth
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list