py37-certbot question
Bob Proulx
bob at proulx.com
Sat Sep 12 20:59:08 UTC 2020
Valeri Galtsev wrote:
> I use certbot since its python 2 version - for quite some time actually to
> renew LetsEncrypt certificates. With python2 version in the past I run cron
> job daily and I was restarting apache from that same script if certificate
> was updated. With python3 version when I switched to it I followed
> somebody's HOWTO, and just added to /etc/periodic.conf:
>
> weekly_certbot_enable="YES"
> weekly_certbot_service="apache24"
...
> Or should I probably switch it over to daily cron job?
Yes. Switch over to a daily cron job. And verify that email output
from the cron job is successfully delivered and read so that problems
can be seen and handled.
I recall daily being the usual recommended rate. But time passes and
things change and I do not find any recommendation now. Just their
rate limits.
https://letsencrypt.org/docs/rate-limits/
But all of my systems check daily. Monthly would be way too seldom
and could be problematic. Weekly would be likely okay when everything
always works perfectly. But daily seems more resilient when there are
problems.
Remember that the client does not attempt a renewal unless the
certificate expiration is within 30 days. Therefore the client will
not attempt a renewal no matter how often it is invoked for the first
two months. Then when the certificate is within 30 days of expiring
it will attempt to renew it. If that succeeds then once again it
stops trying for two months. If it fails then upon the next
invocation, in all of my cases the next day, it will try again. If
something has broken where it fails until manual intervention fixes
things then at most it would try and fail once per day when invoked
daily and that is well safely within the allowed rate limits and is
not a problem.
Let me advocate for using "dehydrated" which is a simpler and IMNHO a
much nicer client than the EFF "certbot".
https://github.com/dehydrated-io/dehydrated
When I first set up Let's Encrypt I chose the EFF Certbot client. For
probably all of the same reasons anyone does. It's from the EFF so it
is likely to be the best one, right?
However in practice I found Certbot to be quite the behemoth. It
wants to maintain a full virtual python environment and on my systems
that was about 50MB of downloads that it would routinely try to
update. And upon system upgrades it would break and I would need to
get in there and fix things. Not so nice.
Plus the user interface of it is not really to my liking. The way
Certbot works is that it keeps its own state files as json format and
one updates those using certbot commands. Rather like carving a
sculture in clay you keep changing it until it is what you want and
then you use it that way. This is fine of course. But it is not to
my personal liking. I much prefer simply having plain text
configuration files that I can set all at once to what is needed. Can
be copied from one system to another as a template for the new system
and then hacked into the new one. And then can keep those files in
version control. Plus changes to those plain text files make plain
text sense rather than json syntax sense.
So eventually I switched from 'certbot' to 'dehydrated'. It is a
single shell script. It's simple. Dehydrated is relatively small as
compared with certbot. I can read it and understand what it is doing.
However so far I haven't needed to do so because it has simply Just
Worked. And has Just Worked across multiple systems and OS upgrades.
If anyone reading this is like me and found Certbot to be large and
unpleasantly heavy then perhaps give dehydrated a look. If you are
like me then you might find it more suitable and more to your liking.
Note that I am in no way associated with the dehydrated project. I am
simply a happy user of it.
Bob
More information about the freebsd-questions
mailing list