On 13/10/2019 19:52, Leif Pedersen wrote:
On Sat, Oct 12, 2019 at 6:28 PM Garrett Wollman <woll...@bimajority.org>
wrote:
<<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <v...@mpeks.tomsk.su>
said:
Trond Endrestøl wrote:
#minute hour mday month wday who command
52 4 1 * * root certbot renew --quiet
--pre-hook "service apache24 stop" --post-hook "service apache24 start"
52 1 15 * * root certbot renew --quiet
--pre-hook "service apache24 stop" --post-hook "service apache24 start"
Is it safe to run certbot as root?
I can't speak to certbot (I currently use acmetool) but in general,
the thing that certbot does requires the ability to signal whatever
process is using the certificates, which is normally going to be a web
server but might be a mail server, name server, RADIUS server, or some
other application -- as shown in the example above. So if you don't
run it as root (probably smart) you'll need to find another way to
tell the TLS server application to reload its certificates when
needed.
-GAWollman
A good point. One option might be to run two cron jobs. One job would run
certbot as an unprivileged user, and the other would run "service apache24
restart" as root an hour or so later. (Or maybe reload is enough.)
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Or something like this. Check if there are new certs and if so do
something with them:
#!/usr/local/bin/bash
if [[ -n $(/usr/bin/find /usr/local/etc/dehydrated/rsa/ -mtime -1h
-type f) ]]
then
/usr/bin/awk '{print $1}' /usr/local/etc/dehydrated/domains.txt | \
while read a ; \
do
# Copy certs for HAproxy
/bin/cat /usr/local/etc/dehydrated/rsa/"$a"/cert.pem \
/usr/local/etc/dehydrated/rsa/"$a"/privkey.pem \
/usr/local/etc/dehydrated/rsa/"$a"/chain.pem \
/usr/local/etc/ssl/dhparams.pem > \
/usr/local/etc/ssl/haproxy/"$a".pem.rsa
/bin/chmod 600 /usr/local/etc/ssl/haproxy/"$a".pem.rsa
/bin/cp /usr/local/etc/dehydrated/rsa/"$a"/chain.pem
/usr/local/etc/ssl/haproxy/"$a".pem.rsa.issuer
# Copy certs for HAproxy, this time the ECDSA stuff
/bin/cat /usr/local/etc/dehydrated/ecdsa/"$a"/cert.pem \
/usr/local/etc/dehydrated/ecdsa/"$a"/privkey.pem \
/usr/local/etc/dehydrated/ecdsa/"$a"/chain.pem \
/usr/local/etc/ssl/dhparams.pem > \
/usr/local/etc/ssl/haproxy/"$a".pem.ecdsa
/bin/chmod 600 /usr/local/etc/ssl/haproxy/"$a".pem.ecdsa
/bin/cp /usr/local/etc/dehydrated/ecdsa/"$a"/chain.pem
/usr/local/etc/ssl/haproxy/"$a".pem.ecdsa.issuer
done
# Some standard stuff for configs with fixed cert names
/bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/cert.pem
/usr/local/etc/ssl/syslog-ng/
/bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/privkey.pem
/usr/local/etc/ssl/syslog-ng/
/bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/fullchain.pem
/usr/local/etc/ssl/syslog-ng/
/bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/chain.pem
/usr/local/etc/ssl/syslog-ng/
/usr/local/bin/c_rehash /usr/local/etc/ssl/syslog-ng/
# Restart services
/usr/bin/killall haproxy
/usr/local/etc/rc.d/haproxy restart
/usr/local/etc/rc.d/syslog-ng restart
/usr/local/etc/rc.d/postfix restart
fi
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
