On Mon, 9 Sep 2019 12:12:55 +0200 (CEST) Trond Endrestøl <trond.endres...@ximalas.info> wrote:
> On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: > > > The majority is for py-certbot, so I'll probably use it. Thank you. > > I have found it prudent to run certbot twice a month from cron(8), > just to be safe. > > Last year, I had one case where the certificate expired a few hours > before the next run of certbot. Had I run certbot on the 1st and on > the 15th day of each month, then the certificates would have been > updated ahead of their expiration. > > E.g.: > > #minute hour mday month wday who command > > 52 4 1 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" I believe --dry-run renewal is encouraged. Both for testing on the development side and to be sure all is running well on the user's side. See "Help us test renewal with “letsencrypt renew” https://community.letsencrypt.org/t/help-us-test-renewal-with-letsencrypt-renew/10562 Q. What’s the new --dry-run flag? A. The new --dry-run flag for both certonly and renew performs the certificate request(s) against the staging server, which issues test certificates that are not trusted by browsers. This verifies whether you’re apparently able to get a certificate, in your current configuration, using the method that you specified (for example, if you were using webroot authentication, whether your webroot configuration is capable of being validated by the CA). With --dry-run, the certificates obtained are not actually saved to disk and your configuration is not updated. You can use this to simulate what would apparently happen if you ran the command without --dry-run. FWIW, here is the link to my wrappers for certbot (last update June 2018) https://github.com/vbotka/le-utils For example below is a fragment from crontab. 1) Daily send email with certificates that expire within 30 days. 2) Daily dry-run renew all certificates. 3) Daily renew certificates that expire within 30 days. #Ansible: check expiry of certificates 15 2 * * * /root/bin/leinfo -e --Days=30 -a #Ansible: dry-run renewal of certificates 20 2 * * * /root/bin/lectl -s -n -c -a #Ansible: renewal of certificates 20 3 * * * /root/bin/lectl -s -D=30 -c -a && /root/bin/lectl -s -p && /root/bin/leinfo -s -g -a If all is right I get only emails with the renewals. Cheers, -vlado
pgpL65gjYquJZ.pgp
Description: OpenPGP digital signature
