On Thu, May 30, 2019 at 6:54 PM James Cook <jc...@cs.berkeley.edu> wrote: > When I try to load https://mailman.agoranomic.org/, I see a certificate error:
Sorry about this! Despite the "Attn omd" in the subject, my eyes saw the "DIS:" and jumped over the rest; I was putting off reading Agora list messages so I didn't see it until now. (Even though you also added me directly as a recipient, Gmail only shows a single message, and it includes the DIS: prefix even though I imagine the copy you sent directly didn't have it.) In fact, I already fixed the issue but was too lazy to make an announcement about it. Sorry about the outage. Why it failed: I've long had a cron job set to try to renew the cert monthly; the Let's Encrypt certificate period is three months, so I guess this time it just happened to fail three times in a row. (Looking at the logs, at least the most recent failure was a 500 error on Let's Encrypt's end.) That simplistic schedule was inherited from when I was using acme-tiny. At some point I switched to certbot, but I kept the cron job the same and used --force-renewal to mimic the old behavior. Now I've fixed it to just run certbot daily, but using the (default) option that only tries to renew the cert if it's expiring in less than 30 days. That way it won't constantly be renewing, but still has ~30 chances to succeed before the cert expires, making it unlikely to let a cert expire due to random failures.
