Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check certificate renewal #18

Open
justinwb opened this issue Oct 19, 2020 · 5 comments
Open

Check certificate renewal #18

justinwb opened this issue Oct 19, 2020 · 5 comments

Comments

@justinwb
Copy link
Member

Ensure that certbot renewal is in place and functioning correctly.
@bourgeoa
Copy link
Member

bourgeoa commented Apr 5, 2021

It would be nice to have an automatic renewal of lets'encrypt certificates.

I followed gandi plugin issue and it seems that this plugin https://github.com/obynio/certbot-plugin-gandi has been updated and is working again. May be it is usable for automatic certs updates followed with a restart of solidcommunity.net and solidcommunity.net:8443.

@bourgeoa
Copy link
Member

bourgeoa commented Apr 6, 2021

let'encrypt certificates renewal every 3 months :

  • 6 April 2020 0:30

@bourgeoa
Copy link
Member

bourgeoa commented Jan 24, 2023
edited
Loading

systemd contains /lib/systemd/system/certbot.timer which makes an automatic certbot renewal every 2 months.
The renewal configuration files are located in /etc/letsencrypt/renewal/

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/solidcommunity.net
cert = /etc/letsencrypt/live/solidcommunity.net/cert.pem
privkey = /etc/letsencrypt/live/solidcommunity.net/privkey.pem
chain = /etc/letsencrypt/live/solidcommunity.net/chain.pem
fullchain = /etc/letsencrypt/live/solidcommunity.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = *******************
pref_challs = dns-01,
authenticator = certbot-plugin-gandi:dns
certbot_plugin_gandi:dns_credentials = /etc/letsencrypt/gandi.ini
server = https://acme-v02.api.letsencrypt.org/directory

The remaining issue is to restart the servers pm2 restart all after an update of the certs.
An every 3 weeks cron job would do the trick.

# restart on monday every 3 weeks at 1am to eventually update the certs that are renewed with systemd every 2 months
0 1 * * 6 [[ $(("( $(date +%s) - $(date +%s --date=20220606) ) / 86400 % 21")) -eq  0 ]] && pm2 restart all

done

@csarven
Copy link
Member

csarven commented Jan 24, 2023

For my personal stuff, I have a daily cron that checks whether certificates are due for renewal, e.g.

0 0    * * * user certbot -n renew

And if the day falls into a period where renewals are possible, it will attempt to renew - this is well ahead of it possibly ever expiring.

@bourgeoa
Copy link
Member

bourgeoa commented Jun 19, 2023
edited
Loading

the use of Ubuntu snap for certbot is taking too much RAM resources. snapd is running in the background and when updating certbot this creates memory swaps. https://matrix.to/#/!VAJLTawStGAyYwzTTY:gitter.im/$O4l4ActnrIWDRQ7zDucSVOMWY_sSb4f85NFJSdJz65E?via=gitter.im&via=matrix.org

This could be avoided using https://askubuntu.com/questions/1045542/how-to-stop-snapd-from-auto-updating

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@csarven @justinwb @bourgeoa