Le 12/06/2018 à 18:42, Daniel Dekany a écrit :
Tuesday, June 12, 2018, 6:06:17 PM, Jacques Le Roux wrote:

Hi Daniel,

It's done with an update of the wiki page

But I faced an issue with the cron job, this command:

jleroux@freemarker-vm:/opt/fmonlinetester/var$ sudo curl
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

I also tried HTTP, no protocol  and both (//) to no avail so far. I
don't know what I miss, if I miss something

jleroux@freemarker-vm:/opt/fmonlinetester/var$ sudo curl 
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 405 Method Not Allowed</title>
<body><h2>HTTP ERROR 405</h2>
<p>Problem accessing /tasks/reload-ssl. Reason:
<pre>    Method Not Allowed</pre></p>
It's HTTP, not HTTPS, and it seems the HTTP method must be POST, not
OK thanks, indeed
sudo curl -X POST http://localhost:8081/tasks/reload-ssl
works :)

All is ready and working manually. I will just check the 
/var/log/fmonlinetester/letsencrypt.log tomorrow morning. I use the cron line:
0 0 * * * /opt/fmonlinetester/var/cert-renew.sh > 


Le 09/06/2018 à 14:31, Jacques Le Roux a écrit :
Yes, I'll take care of that

Thanks for the reminder :)


Le 09/06/2018 à 11:26, Daniel Dekany a écrit :
You have intended to do these, to my understanding. You still plan to?

Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote:


Le 19/05/2018 à 12:02, Daniel Dekany a écrit :
Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:

Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:

cerbot renew
openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
-inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
/etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
/etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
pass:"theKnownPassword" (not copied here)
Though you have posted that password to this mailing list anyway... ;)
Yes indeed, just once, but you'r right I should have used private :/
Anyway we should change it and keep the new one in a specific file
at https://svn.apache.org/repos/private/pmc/freemarker

I think it should not change the rights to read in
/etc/letsencrypt/live (now with fmonlinetester in group)
It would be surprising if it changes it.
Yep, just got surprisingly bitten once, so...

but we should try it manually once and check.

If it does change then we will need to re-add fmonlinetester
in the group at end of cert-renew.sh. I crossed this read issue before as 
user, initially the dir was readeable w/o sudo and then not. Not
sure if it's certbot or openssl which did that in my case.

Also I don't think we need to care about change in
/etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
change certificate.p12 will be the
same, no worries.
Of course. It will need to issue that SSL cert reloading curl command
Ah indeed


I think we should not show the "theKnownPassword" in the wiki page...
Yeah, I guess it's better star it out on cwiki. (Though to get the p12
or private key one has to pawn the server anyway... and then he finds
the password too.)
I think https://svn.apache.org/repos/private/pmc/freemarker better fits for all 
private things
For instance the cron job copy and all the rest. And simply refer to private 
things from the wiki

Are there any Let's Encrypt related credentials we should be aware of
(in case you become unavailable)?
Nope, I used only the temporary secret password everywhere and IIRW
it was only when creating the cert from .pem files.

I think "Enter email address (used for urgent renewal and security
notices)" should be priv...@freemarker.apache.org.
I agree! I used mine so far. To be changed like the cert password
Will you handle the job creation and the doc?

Have a good weekend


Reply via email to