Let's Encrypt

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Let's Encrypt

Victor Sudakov-3
Dear Colleagues,

Which client is now recommended to work with Let's Encrypt?

I see numerous clients in the ports tree, some deleted, some renamed...
Which one is good?

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Andrea Venturoli
On 2019-09-08 16:58, Victor Sudakov wrote:
> Dear Colleagues,
>
> Which client is now recommended to work with Let's Encrypt?
>
> I see numerous clients in the ports tree, some deleted, some renamed...
> Which one is good?

I'm happy with acme.sh.
Don't know about the others.

  bye
        av.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Reshad Patuck
Hi,

I've been using certbot for quite some time. No complaints here.
 https://www.freshports.org/security/py-certbot/

Reshad

On 8 September 2019 9:46:48 pm IST, Andrea Venturoli <[hidden email]> wrote:

>On 2019-09-08 16:58, Victor Sudakov wrote:
>> Dear Colleagues,
>>
>> Which client is now recommended to work with Let's Encrypt?
>>
>> I see numerous clients in the ports tree, some deleted, some
>renamed...
>> Which one is good?
>
>I'm happy with acme.sh.
>Don't know about the others.
>
>  bye
> av.
>_______________________________________________
>[hidden email] mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to
>"[hidden email]"
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Victor Sudakov-3
In reply to this post by Victor Sudakov-3
Victor Sudakov wrote:
>
> Which client is now recommended to work with Let's Encrypt?
>
> I see numerous clients in the ports tree, some deleted, some renamed...
> Which one is good?

It is interesting how several people advised different software:
py-certbot, acme.sh, dehydrated.

The majority is for py-certbot, so I'll probably use it. Thank you.


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Trond Endrestøl-2
On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote:

> The majority is for py-certbot, so I'll probably use it. Thank you.

I have found it prudent to run certbot twice a month from cron(8),
just to be safe.

Last year, I had one case where the certificate expired a few hours
before the next run of certbot. Had I run certbot on the 1st and on
the 15th day of each month, then the certificates would have been
updated ahead of their expiration.

E.g.:

#minute hour mday month wday who command

52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"

--
Trond.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Vladimir Botka-5
On Mon, 9 Sep 2019 12:12:55 +0200 (CEST)
Trond Endrestøl <[hidden email]> wrote:

> On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote:
>
> > The majority is for py-certbot, so I'll probably use it. Thank you.  
>
> I have found it prudent to run certbot twice a month from cron(8),
> just to be safe.
>
> Last year, I had one case where the certificate expired a few hours
> before the next run of certbot. Had I run certbot on the 1st and on
> the 15th day of each month, then the certificates would have been
> updated ahead of their expiration.
>
> E.g.:
>
> #minute hour mday month wday who command
>
> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
I believe --dry-run renewal is encouraged. Both for testing on the
development side and to be sure all is running well on the user's side.

See "Help us test renewal with “letsencrypt renew”
https://community.letsencrypt.org/t/help-us-test-renewal-with-letsencrypt-renew/10562

Q. What’s the new --dry-run flag?
A. The new --dry-run flag for both certonly and renew performs the
certificate request(s) against the staging server, which issues test
certificates that are not trusted by browsers. This verifies whether you’re
apparently able to get a certificate, in your current configuration, using
the method that you specified (for example, if you were using webroot
authentication, whether your webroot configuration is capable of being
validated by the CA). With --dry-run, the certificates obtained are not
actually saved to disk and your configuration is not updated. You can use
this to simulate what would apparently happen if you ran the command without
--dry-run.

FWIW, here is the link to my wrappers for certbot (last update June 2018)
https://github.com/vbotka/le-utils

For example below is a fragment from crontab.

  1) Daily send email with certificates that expire within 30 days.
  2) Daily dry-run renew all certificates.
  3) Daily renew certificates that expire within 30 days.

  #Ansible: check expiry of certificates
  15 2 * * * /root/bin/leinfo -e --Days=30 -a
  #Ansible: dry-run renewal of certificates
  20 2 * * * /root/bin/lectl -s -n -c -a
  #Ansible: renewal of certificates
  20 3 * * * /root/bin/lectl -s -D=30 -c -a && /root/bin/lectl -s -p
  && /root/bin/leinfo -s -g -a

If all is right I get only emails with the renewals.

Cheers,

        -vlado

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

freebsd-security mailing list
In reply to this post by Victor Sudakov-3
On Sun, 8 Sep 2019 at 16:58, Victor Sudakov <[hidden email]> wrote:

> Which client is now recommended to work with Let's Encrypt?
>
> I see numerous clients in the ports tree, some deleted, some renamed...
> Which one is good?

I use net/traefik as reverse proxy. It has Let's encrypt support
built-in, see https://docs.traefik.io/configuration/acme/

Riggs
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Dan Langille
In reply to this post by Trond Endrestøl-2
On Mon, Sep 9, 2019, at 6:12 AM, Trond Endrestøl wrote:

> On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote:
>
> > The majority is for py-certbot, so I'll probably use it. Thank you.
>
> I have found it prudent to run certbot twice a month from cron(8),
> just to be safe.
>
> Last year, I had one case where the certificate expired a few hours
> before the next run of certbot. Had I run certbot on the 1st and on
> the 15th day of each month, then the certificates would have been
> updated ahead of their expiration.
>
> E.g.:
>
> #minute hour mday month wday who command
>
> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24
> stop" --post-hook "service apache24 start"
> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24
> stop" --post-hook "service apache24 start"


Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues.

I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before they expire.

Should the cert-renewal process not run on a given day, no big deal, it runs the next day. I had considered running it less frequently, but settled on daily.

--
  Dan Langille
  [hidden email]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Andrea Venturoli
On 2019-09-09 14:26, Dan Langille wrote:

> Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues.
>
> I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before they expire.

Same here: Nagios will alert me in case acme.sh is not doing its job
(daily), although this has almost never happened.

  bye
        av.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Dan Langille
> On Sep 9, 2019, at 8:30 AM, Andrea Venturoli <[hidden email]> wrote:
>
> On 2019-09-09 14:26, Dan Langille wrote:
>
>> Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues.
>> I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before they expire.
>
> Same here: Nagios will alert me in case acme.sh is not doing its job (daily), although this has almost never happened.

My Nagios alerts are on the certs.  It monitors the certs on the services: e.g. www.freshports.org <http://www.freshports.org/>

Those alerts let me know if there are any issues in the cert distribution chain: my certs are renewed on one host, and then automagically
deployed across multiple servers (and jails on other hosts).

I do not have Nagios monitoring day-to-day runs of acme.sh

I use the (relatively new) notify feature on acme.sh to tell me if there were any errors during the renewal process:

   https://github.com/Neilpang/acme.sh/wiki/notify <https://github.com/Neilpang/acme.sh/wiki/notify>

Some might think: that's not good enough. What if cert fails to run and the certs don't get renewed in time?

Monitoring of the deployed scripts will let me know of that. Certs are renewed with 30 days remaining. Alerts trigger at 28-days.
That is enough time to fix anything broken.



Dan Langille
http://langille.org/




_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Andrea Venturoli
On 2019-09-09 14:36, Dan Langille wrote:

> My Nagios alerts are on the certs.  It monitors the certs on the
> services: e.g. www.freshports.org <http://www.freshports.org>

Sure.
Probably I wasn't clear: Nagios looks at the certificates in my case too.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Victor Sudakov-3
In reply to this post by Trond Endrestøl-2
Trond Endrestøl wrote:
>
> #minute hour mday month wday who command
>
> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"

Is it safe to run certbot as root?

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Micheas Herman
You would ideally create a certbot user that has just the permissions it
needs.

It has a fairly decent security history. So it's probably not the worst to
run as root in a limited manner.



On Mon, Sep 9, 2019, 5:52 PM Victor Sudakov <[hidden email]> wrote:

> Trond Endrestøl wrote:
> >
> > #minute       hour    mday    month   wday    who     command
> >
> > 52    4       1       *       *       root    certbot renew --quiet
> --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> > 52    1       15      *       *       root    certbot renew --quiet
> --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>
> Is it safe to run certbot as root?
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> 2:5005/49@fidonet http://vas.tomsk.ru/
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Trond Endrestøl-2
In reply to this post by Victor Sudakov-3
On Tue, 10 Sep 2019 07:52+0700, Victor Sudakov wrote:

> Trond Endrestøl wrote:
> >
> > #minute hour mday month wday who command
> >
> > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
> > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>
> Is it safe to run certbot as root?

It needs access to TCP port 443 to run some checks. Hence the need to
stop and start apache or you other regular webserver.

--
Trond.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt

Miroslav Lachman
In reply to this post by Victor Sudakov-3
Victor Sudakov wrote on 2019/09/10 02:52:
> Trond Endrestøl wrote:
>>
>> #minute hour mday month wday who command
>>
>> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>
> Is it safe to run certbot as root?

I cannot recommend to run things like this as root. I am using acme.sh
running as unprivileged user and only the deployment of the new /
renewed key is run as root through sudo. I don't know certbot well,
acme.sh allows to use shell scripts as hooks for actions like deployment
so it was really simple to separate cert signing and deployment of new cert.

Kind regards
Miroslav Lachman

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"