On 2017-02-25 09:26:11 +0100, Tobias Pape wrote: > On 25.02.2017, at 09:02, Aaron Zauner <[email protected]> wrote: > > Maybe we should switch to Let's Encrypt and use the Certbot client? That'll > > get us new certificates and we won't have to pay. > > It already is: > > $ openssl s_client -connect bettercrypto.org:443 > CONNECTED(00000003) > depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/CN=bettercrypto.org > i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > --- > > Maybe forgotten cronjob ;)
Or just forgot to restart the server. When I switched my private domains
to Let's Encrypt, I assumed that I would reboot the host at least once
in 90 days (e.g., because of a new kernel), so I wouldn't have to
restart the server after obtaining a new certificate. That turned out to
be not quite true. Not only doesn't Debian issue new kernels quite as
often as I thought, the time window is quite a bit shorter: If you
obtain a new certificate every month (as I do), the certificate may be
up to 31 days old when the server is restarted, so there are only 59
days left. So it's a good idea to either restart the server immediately
after obtaining a new certificate or have some other cron job which
restarts the server regularly.
hp
--
_ | Peter J. Holzer | A coding theorist is someone who doesn't
|_|_) | | think Alice is crazy.
| | | [email protected] | -- John Gordon
__/ | http://www.hjp.at/ | http://downlode.org/Etext/alicebob.html
signature.asc
Description: Digital signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
