:: Re: [devuan-dev] devuan.org cert
Forside
Slet denne besked
Besvar denne besked
Skribent: KatolaZ
Dato:  
Til: devuan-dev
Emne: Re: [devuan-dev] devuan.org cert
On Mon, Jul 17, 2017 at 12:03:47PM +0200, Jaromil wrote:
> On Sat, 15 Jul 2017, Ivan J. wrote:
>
> > lol
>
> I this may be interpreted as sarcasm, since Ivan made a point already
> some time ago about centralisation of the infrastructure.
>
> while we are working on that, nextime fixed the isse on the website,
> it was a misconfiguration of lets'encrypt.
>


All sites using a Let's Encrypt certificate should have something like
this in the root crontab:

57 23 * * * /root/certbot/certbot-auto renew --no-self-upgrade --post-hook "/etc/init.d/nginx restart"

It is important to *not* stop nginx (or apache) with a --pre-hook,
otherwise the certificate renewal will fail (the authentication is
based on the webserver being active and accessible at the named FQDN,
and being able to serve a token provided by the local certbot
client). But the webserver *must* be restarted once the cert has been
renewed.

Other services might need to be stopped/started or restarted due to a
cert upgrade, but this is site-dependent. The actual timing of the
script is irrelevant, as long as it is run daily, since certbot
updates the certificates when they are less than 30 days from
expiration, IIRC.

My2Cents

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]