On Mon, Sep 9, 2019, at 6:12 AM, Trond Endrestøl wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: > > > The majority is for py-certbot, so I'll probably use it. Thank you. > > I have found it prudent to run certbot twice a month from cron(8), > just to be safe. > > Last year, I had one case where the certificate expired a few hours > before the next run of certbot. Had I run certbot on the 1st and on > the 15th day of each month, then the certificates would have been > updated ahead of their expiration. > > E.g.: > > #minute hour mday month wday who command > > 52 4 1 * * root certbot renew --quiet > --pre-hook "service apache24 > stop" --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet > --pre-hook "service apache24 > stop" --post-hook "service apache24 start"
Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues. I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before they expire. Should the cert-renewal process not run on a given day, no big deal, it runs the next day. I had considered running it less frequently, but settled on daily. -- Dan Langille d...@langille.org _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"