Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote: > Inline... > > Le 19/05/2018 à 12:02, Daniel Dekany a écrit : >> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote: >> >>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, >>> content: >>> >>> cerbot renew >>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 >>> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in >>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile >>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass >>> pass:"theKnownPassword" (not copied here) >> Though you have posted that password to this mailing list anyway... ;) > Yes indeed, just once, but you'r right I should have used private :/ > Anyway we should change it and keep the new one in a specific file > at https://svn.apache.org/repos/private/pmc/freemarker > >>> I think it should not change the rights to read in >>> /etc/letsencrypt/live (now with fmonlinetester in group) >> It would be surprising if it changes it. > Yep, just got surprisingly bitten once, so... > >> >>> but we should try it manually once and check. >>> >>> If it does change then we will need to re-add fmonlinetester >>> in the group at end of cert-renew.sh. I crossed this read issue before as >>> jleroux >>> user, initially the dir was readeable w/o sudo and then not. Not >>> sure if it's certbot or openssl which did that in my case. >>> >>> Also I don't think we need to care about change in >>> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no >>> change certificate.p12 will be the >>> same, no worries. >> Of course. It will need to issue that SSL cert reloading curl command >> though. > Ah indeed > > localhost:8081/tasks/reload-ssl > > >>> I think we should not show the "theKnownPassword" in the wiki page... >> Yeah, I guess it's better star it out on cwiki. (Though to get the p12 >> or private key one has to pawn the server anyway... and then he finds >> the password too.) > I think https://svn.apache.org/repos/private/pmc/freemarker better fits for > all private things > For instance the cron job copy and all the rest. And simply refer to private > things from the wiki
For try.freemarker these security things doesn't mater much, but in general, such a repo is not a good place to store security related sensitive files. People just check it out, and it will be on the HDD/SDD unencrypted for ever... then the notebook gets stolen or such. >> Are there any Let's Encrypt related credentials we should be aware of >> (in case you become unavailable)? > Nope, I used only the temporary secret password everywhere and IIRW > it was only when creating the cert from .pem files. > >> I think "Enter email address (used for urgent renewal and security >> notices)" should be priv...@freemarker.apache.org. > I agree! I used mine so far. To be changed like the cert password > Will you handle the job creation and the doc? OK, I will then. > Have a good weekend > > Jacques > -- Thanks, Daniel Dekany