py37-certbot question

Sat Sep 12 19:22:45 UTC 2020

> On Sep 12, 2020, at 1:58 PM, Dale Scott <dalescott at shaw.ca> wrote:
> 
> Keep in mind there are several use cases for LetsEncrypt. When I used LetsEncrypt to create a certificate I used the port 80 authentication method and had to shutdown apache during the procedure (restarting afterwards). Using certbot to renew the certificate is a different process and does not require shutting down services using port 80.
> 

Thank you, Dale! That is what Gary probably meant, and I with my restricted knowledge of options, didn’t realize that. Sorry, Gary, about my comment, now with Dale’s explanation I know what you meant.

Valeri

> ----- Original Message -----
>> From: "Valeri Galtsev" <galtsev at kicp.uchicago.edu>
>> To: "Kevin P. Neal" <kpn at neutralgood.org>
>> Cc: "freebsd-questions" <freebsd-questions at freebsd.org>
>> Sent: Saturday, September 12, 2020 10:17:06 AM
>> Subject: Re: py37-certbot question
> 
>>> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal <kpn at neutralgood.org> wrote:
>>> 
>>> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote:
>>>> On by fbsd system I manually renew.  My notes from 2019 say it is necessary
>>>> to stop the server before renewing because certbot starts its own temporary
>>>> one to do the upgrade.  So I do the sequence:
>>>>  service apache24 stop
>>>>  certbot renew
>>>>  service apache24 start
>>>> 
>>>> It may be the py37 version stops and restarts the server; I haven't tried it
>>>> without stopping the server so I don't know.
>>> 
>>>> If it has been running weekly as a cron job, it should have been renewed
>>>> about three weeks ago.  It should renew on the first attempt that is less
>>>> than 30 days until expiration.  So it sounds like it is attempting to
>>>> renew but failing.  It may be that if the server isn't stopped it won't
>>>> renew because it can't acquire the necessary port.
>>> 
>>> Wait, that doesn't sound right. I never, ever stop services to run certbot
>>> renew. Ever. I have it so that it reaches into the DocumentRoot(s) of the
>>> relevant virtual server(s) for the verification step. Then I copy the new
>>> certs to the relevant locations and bounce servers at that point. But a
>>> service outage is not required.
>>> 
>>> I even have my http servers redirect all traffic to the https server EXCEPT
>>> for the certbot traffic. It's another example of mod_rewrite being one of
>>> the most powerful tools around IMHO.
>>> 
>>> [kpn at gunsight1 ~]$ pkg info | grep certbot
>>> py37-certbot-1.7.0,1           Let's Encrypt client
>>> [kpn at gunsight1 ~]$
>>> 
>> 
>> Thank you, Gary and Kevin. I just had yet another cron.weekly happen this
>> morning, and the cert was not renewed. So, I run certbot renew manually, and
>> restarted apache. My trouble is in the way I configured renewal cron job
>> following somebody’s HOWTO, I will switch back to just a cron job with
>> appropriate explicit “certbot renew …” command after I check that python3 based
>> certbot does have --post-hook to restart apache in the event of successful cert
>> renewal.
>> 
>> I’m sure Kevin is right: web server must be running when certbot attempts to
>> renew cert. It is necessary, as LetsEncrypt verifies that whatever requests
>> cert is capable of writing challenge sent to it into we directory.
>> 
>> Thanks again, everybody!
>> 
>> Valeri
>> 
>>> --
>>> Kevin P. Neal                                http://www.pobox.com/~kpn/
>>> 
>>> "What is mathematics? The age-old answer is, of course, that mathematics
>>> is what mathematicians do." - Donald Knuth
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>> 
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"