Re: Let's Encrypt

2019-09-09 Thread Victor Sudakov
Victor Sudakov wrote: > > Which client is now recommended to work with Let's Encrypt? > > I see numerous clients in the ports tree, some deleted, some renamed... > Which one is good? It is interesting how several people advised different software: py-certbot, acme.sh, dehydrated. The majority

Re: Let's Encrypt

2019-09-09 Thread Trond Endrestøl
On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: > The majority is for py-certbot, so I'll probably use it. Thank you. I have found it prudent to run certbot twice a month from cron(8), just to be safe. Last year, I had one case where the certificate expired a few hours before the next run

Re: Let's Encrypt

2019-09-09 Thread Vladimir Botka
On Mon, 9 Sep 2019 12:12:55 +0200 (CEST) Trond Endrestøl wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: > > > The majority is for py-certbot, so I'll probably use it. Thank you. > > I have found it prudent to run certbot twice a month from cron(8), > just to be safe. > > Last

Re: Let's Encrypt

2019-09-09 Thread Thomas Zander via freebsd-security
On Sun, 8 Sep 2019 at 16:58, Victor Sudakov wrote: > Which client is now recommended to work with Let's Encrypt? > > I see numerous clients in the ports tree, some deleted, some renamed... > Which one is good? I use net/traefik as reverse proxy. It has Let's encrypt support built-in, see https:/

Re: Let's Encrypt

2019-09-09 Thread Dan Langille
On Mon, Sep 9, 2019, at 6:12 AM, Trond Endrestøl wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: > > > The majority is for py-certbot, so I'll probably use it. Thank you. > > I have found it prudent to run certbot twice a month from cron(8), > just to be safe. > > Last year, I had

Re: Let's Encrypt

2019-09-09 Thread Andrea Venturoli
On 2019-09-09 14:26, Dan Langille wrote: Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues. I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before

Re: Let's Encrypt

2019-09-09 Thread Dan Langille
> On Sep 9, 2019, at 8:30 AM, Andrea Venturoli wrote: > > On 2019-09-09 14:26, Dan Langille wrote: > >> Whereas, I run acme.sh on a daily basis. My goal: renew certificates at >> their earliest possibility. This gives me the maximum time to fix any issues. >> I combine the above with monitoring

Re: Let's Encrypt

2019-09-09 Thread Andrea Venturoli
On 2019-09-09 14:36, Dan Langille wrote: My Nagios alerts are on the certs.  It monitors the certs on the services: e.g. www.freshports.org Sure. Probably I wasn't clear: Nagios looks at the certificates in my case too. __

Re: Let's Encrypt

2019-09-09 Thread Victor Sudakov
Trond Endrestøl wrote: > > #minute hourmdaymonth wdaywho command > > 524 1 * * rootcertbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > 521 15 * * rootcertbot renew

Re: Let's Encrypt

2019-09-09 Thread Micheas Herman
You would ideally create a certbot user that has just the permissions it needs. It has a fairly decent security history. So it's probably not the worst to run as root in a limited manner. On Mon, Sep 9, 2019, 5:52 PM Victor Sudakov wrote: > Trond Endrestøl wrote: > > > > #minute hour