:: Re: [devuan-dev] devuan.org cert
Top Page
Delete this message
Reply to this message
Author: KatolaZ
Date:  
To: devuan-dev
Subject: Re: [devuan-dev] devuan.org cert
On Mon, Jul 17, 2017 at 12:03:47PM +0200, Jaromil wrote:
> On Sat, 15 Jul 2017, Ivan J. wrote:
>
> > lol
>
> I this may be interpreted as sarcasm, since Ivan made a point already
> some time ago about centralisation of the infrastructure.
>
> while we are working on that, nextime fixed the isse on the website,
> it was a misconfiguration of lets'encrypt.
>


All sites using a Let's Encrypt certificate should have something like
this in the root crontab:

57 23 * * * /root/certbot/certbot-auto renew --no-self-upgrade --post-hook "/etc/init.d/nginx restart"

It is important to *not* stop nginx (or apache) with a --pre-hook,
otherwise the certificate renewal will fail (the authentication is
based on the webserver being active and accessible at the named FQDN,
and being able to serve a token provided by the local certbot
client). But the webserver *must* be restarted once the cert has been
renewed.

Other services might need to be stopped/started or restarted due to a
cert upgrade, but this is site-dependent. The actual timing of the
script is irrelevant, as long as it is run daily, since certbot
updates the certificates when they are less than 30 days from
expiration, IIRC.

My2Cents

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]