py37-certbot question

Valeri Galtsev galtsev at kicp.uchicago.edu
Sat Sep 12 16:24:05 UTC 2020 


> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal <kpn at neutralgood.org> wrote:
> 
> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote:
>> On by fbsd system I manually renew.  My notes from 2019 say it is necessary
>> to stop the server before renewing because certbot starts its own temporary
>> one to do the upgrade.  So I do the sequence:
>>   service apache24 stop
>>   certbot renew
>>   service apache24 start
>> 
>> It may be the py37 version stops and restarts the server; I haven't tried it
>> without stopping the server so I don't know.
> 
>> If it has been running weekly as a cron job, it should have been renewed
>> about three weeks ago.  It should renew on the first attempt that is less
>> than 30 days until expiration.  So it sounds like it is attempting to
>> renew but failing.  It may be that if the server isn't stopped it won't
>> renew because it can't acquire the necessary port.
> 
> Wait, that doesn't sound right. I never, ever stop services to run certbot
> renew. Ever. I have it so that it reaches into the DocumentRoot(s) of the
> relevant virtual server(s) for the verification step. Then I copy the new
> certs to the relevant locations and bounce servers at that point. But a
> service outage is not required.
> 
> I even have my http servers redirect all traffic to the https server EXCEPT
> for the certbot traffic. It's another example of mod_rewrite being one of
> the most powerful tools around IMHO.
> 
> [kpn at gunsight1 ~]$ pkg info | grep certbot
> py37-certbot-1.7.0,1           Let's Encrypt client
> [kpn at gunsight1 ~]$ 
> 

Thank you, Gary and Kevin. I just had yet another cron.weekly happen this morning, and the cert was not renewed. So, I run certbot renew manually, and restarted apache. My trouble is in the way I configured renewal cron job following somebody’s HOWTO, I will switch back to just a cron job with appropriate explicit “certbot renew …” command after I check that python3 based certbot does have --post-hook to restart apache in the event of successful cert renewal.

I’m sure Kevin is right: web server must be running when certbot attempts to renew cert. It is necessary, as LetsEncrypt verifies that whatever requests cert is capable of writing challenge sent to it into we directory.

Thanks again, everybody!

Valeri

> -- 
> Kevin P. Neal                                http://www.pobox.com/~kpn/
> 
> "What is mathematics? The age-old answer is, of course, that mathematics
> is what mathematicians do." - Donald Knuth
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list