:: Re: [devuan-dev] devuan.org cert
Góra strony
Delete this message
Reply to this message
Autor: KatolaZ
Data: 2017-07-17 08:17 -000
Dla: devuan-dev
Temat: Re: [devuan-dev] devuan.org cert
On Mon, Jul 17, 2017 at 12:03:47PM +0200, Jaromil wrote:
> On Sat, 15 Jul 2017, Ivan J. wrote:
> > lol
> I this may be interpreted as sarcasm, since Ivan made a point already
> some time ago about centralisation of the infrastructure.
> while we are working on that, nextime fixed the isse on the website,
> it was a misconfiguration of lets'encrypt.

All sites using a Let's Encrypt certificate should have something like
this in the root crontab:

57 23 * * * /root/certbot/certbot-auto renew --no-self-upgrade --post-hook "/etc/init.d/nginx restart"

It is important to *not* stop nginx (or apache) with a --pre-hook,
otherwise the certificate renewal will fail (the authentication is
based on the webserver being active and accessible at the named FQDN,
and being able to serve a token provided by the local certbot
client). But the webserver *must* be restarted once the cert has been

Other services might need to be stopped/started or restarted due to a
cert upgrade, but this is site-dependent. The actual timing of the
script is irrelevant, as long as it is run daily, since certbot
updates the certificates when they are less than 30 days from
expiration, IIRC.



[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]