[buug] letsencrypt
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Sun May 7 21:53:33 PDT 2017
Well, I seem to recall (which may *not* be fully accurate)
... that the default behavior is renewal attempts start at 30 days
before expiration, and continue daily thereafter until successfully
renewed/replaced. I'm fairly sure that information is in the
various documentation/FAQ(s) or the like - at least that's where I
seem to recall having read it before.
Some bits of what I do (not that I'd at all recommend everyone do
same):
o I use a relatively "manual" "renewal" process ... but that's highly
aided by a pair of scripts I wrote - so it automates much of the
process.
o "rewnew" - it needn't explicitly be a renewal, requesting new cert
for same, is in most ways equivalent ... but I think there's an extra
option to pass to effectively say yes, that's what I want to do and
ignore that there are still active matching certs[1]
o I use a dedicated non-privileged ID for most all of the cert request /
"renew" process - it generates key(s), CSR(s), requests cert(s),
interacts with ACME, and obtains cert(s).
o If I added an expect layer between some of the (major) "helper"/wrapper
scripts I use, it would then almost be a push-button fire-and-forget
operation ... but it's "easy enough" as it is thus far, I've not taken
it to that point ... yet.
o Thus far I've not entrusted certbot or the like, to itself install
new/updated cert into web server(s), etc.
Also, probably not a bad idea to wrap some monitoring around certs and
expirations in general. E.g. if one automates it to renew at 30 days
remaining, probably have it trigger some alarm/notification when days
remaining gets down to 15.
references/excerpts/footnotes:
1. certbot(1) --duplicate - peeked at my script - that's the option
> From: "Ian Zimmerman" <itz at primate.net>
> Subject: Re: [buug] letsencrypt
> Date: Sun, 7 May 2017 19:25:24 -0700
> On 2017-05-07 18:47, Wojciech Adam Koszek wrote:
>
>> You start getting reminders around 2 weeks before the expiration date,
>> so I guess anything closer to expiration should be fine.
>
> I guess I have not been clear enough.
>
> I'm not afraid of running the client too often and being kicked or
> penalized. I'm afraid of running it too rarely, and missing renewal
> because:
>
> at time _t_ certbot decides it's too far in the future, so doesn't try.
> (so what is "too far" - hence my question)
>
> at time _t+1_ certbot tries, but fails due to random fsckup (which I
> know to be possible).
>
> at time _t+2_ it's too late, cert has expired.
>
> It's a tradeoff - I could run it every minute and I would be very
> confident of eventual success, but that would be wasteful.
>
>> The acme.sh client automatically installs the proper crontab entry for
>> renewals.
>
> I'll take a look, but this seems to be behavior inherently specific to
> the client, plus a human policy decision.
>
> BTW, knowing this I am glad I have not selected acme.sh as the client to
> run :-)
More information about the buug
mailing list