Let's Encrypt
adrian.van.de.ven at sentia.com
adrian.van.de.ven at sentia.com
Tue Oct 22 07:39:39 UTC 2019
On 13/10/2019 19:52, Leif Pedersen wrote:
> On Sat, Oct 12, 2019 at 6:28 PM Garrett Wollman <wollman at bimajority.org>
> wrote:
>
>> <<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <vas at mpeks.tomsk.su>
>> said:
>>
>>> Trond Endrestøl wrote:
>>>> #minute hour mday month wday who command
>>>>
>>>> 52 4 1 * * root certbot renew --quiet
>> --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>>>> 52 1 15 * * root certbot renew --quiet
>> --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>>
>>> Is it safe to run certbot as root?
>> I can't speak to certbot (I currently use acmetool) but in general,
>> the thing that certbot does requires the ability to signal whatever
>> process is using the certificates, which is normally going to be a web
>> server but might be a mail server, name server, RADIUS server, or some
>> other application -- as shown in the example above. So if you don't
>> run it as root (probably smart) you'll need to find another way to
>> tell the TLS server application to reload its certificates when
>> needed.
>>
>> -GAWollman
>>
> A good point. One option might be to run two cron jobs. One job would run
> certbot as an unprivileged user, and the other would run "service apache24
> restart" as root an hour or so later. (Or maybe reload is enough.)
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
Or something like this. Check if there are new certs and if so do
something with them:
#!/usr/local/bin/bash
if [[ -n $(/usr/bin/find /usr/local/etc/dehydrated/rsa/ -mtime -1h
-type f) ]]
then
/usr/bin/awk '{print $1}' /usr/local/etc/dehydrated/domains.txt | \
while read a ; \
do
# Copy certs for HAproxy
/bin/cat /usr/local/etc/dehydrated/rsa/"$a"/cert.pem \
/usr/local/etc/dehydrated/rsa/"$a"/privkey.pem \
/usr/local/etc/dehydrated/rsa/"$a"/chain.pem \
/usr/local/etc/ssl/dhparams.pem > \
/usr/local/etc/ssl/haproxy/"$a".pem.rsa
/bin/chmod 600 /usr/local/etc/ssl/haproxy/"$a".pem.rsa
/bin/cp /usr/local/etc/dehydrated/rsa/"$a"/chain.pem
/usr/local/etc/ssl/haproxy/"$a".pem.rsa.issuer
# Copy certs for HAproxy, this time the ECDSA stuff
/bin/cat /usr/local/etc/dehydrated/ecdsa/"$a"/cert.pem \
/usr/local/etc/dehydrated/ecdsa/"$a"/privkey.pem \
/usr/local/etc/dehydrated/ecdsa/"$a"/chain.pem \
/usr/local/etc/ssl/dhparams.pem > \
/usr/local/etc/ssl/haproxy/"$a".pem.ecdsa
/bin/chmod 600 /usr/local/etc/ssl/haproxy/"$a".pem.ecdsa
/bin/cp /usr/local/etc/dehydrated/ecdsa/"$a"/chain.pem
/usr/local/etc/ssl/haproxy/"$a".pem.ecdsa.issuer
done
# Some standard stuff for configs with fixed cert names
/bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/cert.pem
/usr/local/etc/ssl/syslog-ng/
/bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/privkey.pem
/usr/local/etc/ssl/syslog-ng/
/bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/fullchain.pem
/usr/local/etc/ssl/syslog-ng/
/bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/chain.pem
/usr/local/etc/ssl/syslog-ng/
/usr/local/bin/c_rehash /usr/local/etc/ssl/syslog-ng/
# Restart services
/usr/bin/killall haproxy
/usr/local/etc/rc.d/haproxy restart
/usr/local/etc/rc.d/syslog-ng restart
/usr/local/etc/rc.d/postfix restart
fi
More information about the freebsd-security
mailing list