:: Re: [devuan-dev] devuan.org cert
Góra strony
Delete this message
Reply to this message
Autor: golinux
Data:  
Dla: devuan developers internal list
Temat: Re: [devuan-dev] devuan.org cert
On 2017-07-15 11:28, Evilham wrote:
> Am 15/07/2017 um 18:25 schrieb KatolaZ:
>> git.devuan.org is under certbot. I guess all of them are under
>> certbot. I am not sure as of whether the web server gets restarted
>> correctly after the cert is updated on each of them (it does on
>> git.devuan.org, bugs.devuan.org, popcon.devuan.org).
> Do you happen to know _when_ it tries to update the cert? I added a
> 15day check, but if cerbot tries to update 10 days before expiry, that
> check is not telling us if certbot did its job.
>
> Basically I'd have to adapt my external cert checks, so that they
> trigger *after* certbot was supposed to renew them. That way we should
> only get an email about the certificates if it was not the case.


-----------------------------------

FYI, from D1G irc logs:

2017-07-05 08:58:49 rrq: re cert: the standard set up runs "certbot
renew" every 12 hours (midday + midnight), which
2017-07-05 08:59:14 rrq: supposedly renews the cert if near expiry.
2017-07-05 08:59:26 rrq: I'm trying to find out what "near" means.
2017-07-05 08:59:43 rrq: logically it should be >12h
2017-07-05 09:00:46 rrq: but there's been some serious python vomit:
7425 lines to do its thing :-(
2017-07-05 09:09:30 rrq: hmm default renewal supposedly is 30 days (or
less) before expiry
2017-07-05 09:17:57 golinux: So what went wrong? Any tracks in the logs?
You know that the Devuan certs fail regularly
2017-07-05 09:24:13 rrq: afaics nothing in the logs
2017-07-05 09:35:35 rrq: I changed the cron line to make the certbot
invocation log to /tmp/certbot.log
2017-07-05 09:36:12 rrq: the cert is 3 months, so that log will be
interesting in about 2 months

I think part of the problem is that nginx isn't getting restarted.
We'll be watching our certbot closely till the next renewal.

golinux