Let's Encrypt
Dan Langille
dan at langille.org
Mon Sep 9 12:26:26 UTC 2019
On Mon, Sep 9, 2019, at 6:12 AM, Trond Endrestøl wrote:
> On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote:
>
> > The majority is for py-certbot, so I'll probably use it. Thank you.
>
> I have found it prudent to run certbot twice a month from cron(8),
> just to be safe.
>
> Last year, I had one case where the certificate expired a few hours
> before the next run of certbot. Had I run certbot on the 1st and on
> the 15th day of each month, then the certificates would have been
> updated ahead of their expiration.
>
> E.g.:
>
> #minute hour mday month wday who command
>
> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24
> stop" --post-hook "service apache24 start"
> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24
> stop" --post-hook "service apache24 start"
Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues.
I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before they expire.
Should the cert-renewal process not run on a given day, no big deal, it runs the next day. I had considered running it less frequently, but settled on daily.
--
Dan Langille
dan at langille.org
More information about the freebsd-security
mailing list