|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
|||
Reducing letsencrypt.org SSL certificate renewal requests
letsencrypt.org provides free SSL certificates using the ACME protocol. Because these certificates only are valid for 90 days. they have to be renewed. This renewal can be automated with a cron(8) job.
All tutorials I have seen show an entry in the crontab(5) table/configuration file for daily renewal requests. I find that kind of silly. Although you can a do a certificate renewal request whenever you want, the cert will only will be actually renewed if it is less than 30 days old. On OpenBSD my entry for a cert renewal request with acme-client(1) every 8 days looks like this: Code:
# crontab -l [snip] # ------------------------------------------ # renew letsencrypt certificate every 8 days # ------------------------------------------ #minute hour mday month wday [flags] command # the following line with '8~52' always runs at 14:17 ..... So try something new #8~52 14 */8 * * acme-client -v siralas.nl && rcctl reload relayd 31~59 14 */8 * * acme-client -v siralas.nl && rcctl reload relayd An overview of the emails that are sent after the cronjob has run" Code:
71 Feb 1 Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 72 Feb 9 Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 73 Feb 17 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 74 Feb 25 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 75 Mar 1 Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 76 Mar 9 Cron Daemon (4K) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 77 Mar 17 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 78 Mar 25 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 79 Apr 1 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 80 Apr 9 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 81 Apr 17 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 82 Apr 25 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 83 May 1 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 84 May 9 Cron Daemon (4K) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 85 May 17 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 86 May 25 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 87 Jun 1 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 88 Jun 9 Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 89 Jun 17 Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd 90 Saturday Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd At the first day of every month the 8 day cycle is restarted. Keep this in mind, If you would like to use a different cycle. The contents of the April 1st mail: Code:
Date: Fri, 1 Apr 2022 14:17:02 +0200 (CEST) From: Cron Daemon <root@nedrag.siralas.nl> To: root@nedrag.siralas.nl Subject: Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 66 days left Code:
Date: Sun, 17 Apr 2022 14:17:01 +0200 (CEST) acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 50 days left Date: Mon, 25 Apr 2022 14:17:01 +0200 (CEST) acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 42 days left Date: Sun, 1 May 2022 14:17:01 +0200 (CEST) acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 36 days left Code:
Date: Mon, 9 May 2022 14:17:01 +0200 (CEST) From: Cron Daemon <root@nedrag.siralas.nl> To: root@nedrag.siralas.nl Subject: Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate renewable: 28 days left acme-client: https://acme-v02.api.letsencrypt.org/directory: directories acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248 [snip] acme-client: order.status 3 acme-client: https://acme-v02.api.letsencrypt.org/acme/cert/04a99a960ec3ea0f03a1a1713afe1 0918189: certificate acme-client: /etc/ssl/siralas.nl.fullchain.pem: created relayd(ok) # crontab -e
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
httpd.conf serving /location requests | toprank | OpenBSD General | 4 | 14th March 2018 11:30 AM |
Letsencrypt not working | ed.n1n2 | OpenBSD General | 12 | 5th May 2017 06:54 AM |
Git 1.7.9 offers more secure modification requests | J65nko | News | 0 | 30th January 2012 08:18 PM |
Routing internal requests to external IPs | jdude | FreeBSD General | 1 | 9th July 2009 07:25 AM |