py37-certbot question

Dale Scott dalescott at shaw.ca
Sat Sep 12 18:58:47 UTC 2020 

Keep in mind there are several use cases for LetsEncrypt. When I used LetsEncrypt to create a certificate I used the port 80 authentication method and had to shutdown apache during the procedure (restarting afterwards). Using certbot to renew the certificate is a different process and does not require shutting down services using port 80.


----- Original Message -----
> From: "Valeri Galtsev" <galtsev at kicp.uchicago.edu>
> To: "Kevin P. Neal" <kpn at neutralgood.org>
> Cc: "freebsd-questions" <freebsd-questions at freebsd.org>
> Sent: Saturday, September 12, 2020 10:17:06 AM
> Subject: Re: py37-certbot question

>> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal <kpn at neutralgood.org> wrote:
>> 
>> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote:
>>> On by fbsd system I manually renew.  My notes from 2019 say it is necessary
>>> to stop the server before renewing because certbot starts its own temporary
>>> one to do the upgrade.  So I do the sequence:
>>>   service apache24 stop
>>>   certbot renew
>>>   service apache24 start
>>> 
>>> It may be the py37 version stops and restarts the server; I haven't tried it
>>> without stopping the server so I don't know.
>> 
>>> If it has been running weekly as a cron job, it should have been renewed
>>> about three weeks ago.  It should renew on the first attempt that is less
>>> than 30 days until expiration.  So it sounds like it is attempting to
>>> renew but failing.  It may be that if the server isn't stopped it won't
>>> renew because it can't acquire the necessary port.
>> 
>> Wait, that doesn't sound right. I never, ever stop services to run certbot
>> renew. Ever. I have it so that it reaches into the DocumentRoot(s) of the
>> relevant virtual server(s) for the verification step. Then I copy the new
>> certs to the relevant locations and bounce servers at that point. But a
>> service outage is not required.
>> 
>> I even have my http servers redirect all traffic to the https server EXCEPT
>> for the certbot traffic. It's another example of mod_rewrite being one of
>> the most powerful tools around IMHO.
>> 
>> [kpn at gunsight1 ~]$ pkg info | grep certbot
>> py37-certbot-1.7.0,1           Let's Encrypt client
>> [kpn at gunsight1 ~]$
>> 
> 
> Thank you, Gary and Kevin. I just had yet another cron.weekly happen this
> morning, and the cert was not renewed. So, I run certbot renew manually, and
> restarted apache. My trouble is in the way I configured renewal cron job
> following somebody’s HOWTO, I will switch back to just a cron job with
> appropriate explicit “certbot renew …” command after I check that python3 based
> certbot does have --post-hook to restart apache in the event of successful cert
> renewal.
> 
> I’m sure Kevin is right: web server must be running when certbot attempts to
> renew cert. It is necessary, as LetsEncrypt verifies that whatever requests
> cert is capable of writing challenge sent to it into we directory.
> 
> Thanks again, everybody!
> 
> Valeri
> 
>> --
>> Kevin P. Neal                                http://www.pobox.com/~kpn/
>> 
>> "What is mathematics? The age-old answer is, of course, that mathematics
>> is what mathematicians do." - Donald Knuth
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list