galtsev at kicp.uchicago.edu
Sat Sep 12 19:22:45 UTC 2020
> On Sep 12, 2020, at 1:58 PM, Dale Scott <dalescott at shaw.ca> wrote:
> Keep in mind there are several use cases for LetsEncrypt. When I used LetsEncrypt to create a certificate I used the port 80 authentication method and had to shutdown apache during the procedure (restarting afterwards). Using certbot to renew the certificate is a different process and does not require shutting down services using port 80.
Thank you, Dale! That is what Gary probably meant, and I with my restricted knowledge of options, didn’t realize that. Sorry, Gary, about my comment, now with Dale’s explanation I know what you meant.
> ----- Original Message -----
>> From: "Valeri Galtsev" <galtsev at kicp.uchicago.edu>
>> To: "Kevin P. Neal" <kpn at neutralgood.org>
>> Cc: "freebsd-questions" <freebsd-questions at freebsd.org>
>> Sent: Saturday, September 12, 2020 10:17:06 AM
>> Subject: Re: py37-certbot question
>>> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal <kpn at neutralgood.org> wrote:
>>> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote:
>>>> On by fbsd system I manually renew. My notes from 2019 say it is necessary
>>>> to stop the server before renewing because certbot starts its own temporary
>>>> one to do the upgrade. So I do the sequence:
>>>> service apache24 stop
>>>> certbot renew
>>>> service apache24 start
>>>> It may be the py37 version stops and restarts the server; I haven't tried it
>>>> without stopping the server so I don't know.
>>>> If it has been running weekly as a cron job, it should have been renewed
>>>> about three weeks ago. It should renew on the first attempt that is less
>>>> than 30 days until expiration. So it sounds like it is attempting to
>>>> renew but failing. It may be that if the server isn't stopped it won't
>>>> renew because it can't acquire the necessary port.
>>> Wait, that doesn't sound right. I never, ever stop services to run certbot
>>> renew. Ever. I have it so that it reaches into the DocumentRoot(s) of the
>>> relevant virtual server(s) for the verification step. Then I copy the new
>>> certs to the relevant locations and bounce servers at that point. But a
>>> service outage is not required.
>>> I even have my http servers redirect all traffic to the https server EXCEPT
>>> for the certbot traffic. It's another example of mod_rewrite being one of
>>> the most powerful tools around IMHO.
>>> [kpn at gunsight1 ~]$ pkg info | grep certbot
>>> py37-certbot-1.7.0,1 Let's Encrypt client
>>> [kpn at gunsight1 ~]$
>> Thank you, Gary and Kevin. I just had yet another cron.weekly happen this
>> morning, and the cert was not renewed. So, I run certbot renew manually, and
>> restarted apache. My trouble is in the way I configured renewal cron job
>> following somebody’s HOWTO, I will switch back to just a cron job with
>> appropriate explicit “certbot renew …” command after I check that python3 based
>> certbot does have --post-hook to restart apache in the event of successful cert
>> I’m sure Kevin is right: web server must be running when certbot attempts to
>> renew cert. It is necessary, as LetsEncrypt verifies that whatever requests
>> cert is capable of writing challenge sent to it into we directory.
>> Thanks again, everybody!
>>> Kevin P. Neal http://www.pobox.com/~kpn/
>>> "What is mathematics? The age-old answer is, of course, that mathematics
>>> is what mathematicians do." - Donald Knuth
>>> freebsd-questions at freebsd.org mailing list
>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions