> On Sep 9, 2019, at 8:30 AM, Andrea Venturoli <m...@netfence.it> wrote: > > On 2019-09-09 14:26, Dan Langille wrote: > >> Whereas, I run acme.sh on a daily basis. My goal: renew certificates at >> their earliest possibility. This gives me the maximum time to fix any issues. >> I combine the above with monitoring to raise alerts if any tickets have less >> than 28 days left before they expire. > > Same here: Nagios will alert me in case acme.sh is not doing its job (daily), > although this has almost never happened.
My Nagios alerts are on the certs. It monitors the certs on the services: e.g. www.freshports.org <http://www.freshports.org/> Those alerts let me know if there are any issues in the cert distribution chain: my certs are renewed on one host, and then automagically deployed across multiple servers (and jails on other hosts). I do not have Nagios monitoring day-to-day runs of acme.sh I use the (relatively new) notify feature on acme.sh to tell me if there were any errors during the renewal process: https://github.com/Neilpang/acme.sh/wiki/notify <https://github.com/Neilpang/acme.sh/wiki/notify> Some might think: that's not good enough. What if cert fails to run and the certs don't get renewed in time? Monitoring of the deployed scripts will let me know of that. Certs are renewed with 30 days remaining. Alerts trigger at 28-days. That is enough time to fix anything broken. — Dan Langille http://langille.org/ _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
