Tuesday, June 12, 2018, 7:48:13 PM, Jacques Le Roux wrote: [snip] > OK thanks, indeed > sudo curl -X POST http://localhost:8081/tasks/reload-ssl > works :) > > All is ready and working manually. I will just check the > /var/log/fmonlinetester/letsencrypt.log tomorrow morning. I use the cron line: > 0 0 * * * /opt/fmonlinetester/var/cert-renew.sh > > /var/log/fmonlinetester/letsencrypt.log
Great, thanks! A small thing though. Scripts should be in bin, not var. And if you are there anyway, AFAIR I have made /opt/fmonlinetester/var/log (which links to /var/log/fmonlinetester), in which case it's better to use that path. > Jacques >>> Jacques >>> >>> >>> Le 09/06/2018 à 14:31, Jacques Le Roux a écrit : >>>> Yes, I'll take care of that >>>> >>>> Thanks for the reminder :) >>>> >>>> Jacques >>>> >>>> >>>> Le 09/06/2018 à 11:26, Daniel Dekany a écrit : >>>>> You have intended to do these, to my understanding. You still plan to? >>>>> >>>>> >>>>> Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote: >>>>> >>>>>> Inline... >>>>>> >>>>>> Le 19/05/2018 à 12:02, Daniel Dekany a écrit : >>>>>>> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote: >>>>>>> >>>>>>>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, >>>>>>>> content: >>>>>>>> >>>>>>>> cerbot renew >>>>>>>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 >>>>>>>> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in >>>>>>>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile >>>>>>>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass >>>>>>>> pass:"theKnownPassword" (not copied here) >>>>>>> Though you have posted that password to this mailing list anyway... ;) >>>>>> Yes indeed, just once, but you'r right I should have used private :/ >>>>>> Anyway we should change it and keep the new one in a specific file >>>>>> at https://svn.apache.org/repos/private/pmc/freemarker >>>>>> >>>>>>>> I think it should not change the rights to read in >>>>>>>> /etc/letsencrypt/live (now with fmonlinetester in group) >>>>>>> It would be surprising if it changes it. >>>>>> Yep, just got surprisingly bitten once, so... >>>>>> >>>>>>>> but we should try it manually once and check. >>>>>>>> >>>>>>>> If it does change then we will need to re-add fmonlinetester >>>>>>>> in the group at end of cert-renew.sh. I crossed this read issue before >>>>>>>> as jleroux >>>>>>>> user, initially the dir was readeable w/o sudo and then not. Not >>>>>>>> sure if it's certbot or openssl which did that in my case. >>>>>>>> >>>>>>>> Also I don't think we need to care about change in >>>>>>>> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no >>>>>>>> change certificate.p12 will be the >>>>>>>> same, no worries. >>>>>>> Of course. It will need to issue that SSL cert reloading curl command >>>>>>> though. >>>>>> Ah indeed >>>>>> >>>>>> localhost:8081/tasks/reload-ssl >>>>>> >>>>>> >>>>>>>> I think we should not show the "theKnownPassword" in the wiki page... >>>>>>> Yeah, I guess it's better star it out on cwiki. (Though to get the p12 >>>>>>> or private key one has to pawn the server anyway... and then he finds >>>>>>> the password too.) >>>>>> I think https://svn.apache.org/repos/private/pmc/freemarker better fits >>>>>> for all private things >>>>>> For instance the cron job copy and all the rest. And simply refer to >>>>>> private things from the wiki >>>>>> >>>>>>> Are there any Let's Encrypt related credentials we should be aware of >>>>>>> (in case you become unavailable)? >>>>>> Nope, I used only the temporary secret password everywhere and IIRW >>>>>> it was only when creating the cert from .pem files. >>>>>> >>>>>>> I think "Enter email address (used for urgent renewal and security >>>>>>> notices)" should be [email protected]. >>>>>> I agree! I used mine so far. To be changed like the cert password >>>>>> Will you handle the job creation and the doc? >>>>>> >>>>>> Have a good weekend >>>>>> >>>>>> Jacques >>>>>> >>>> >>> > > -- Thanks, Daniel Dekany
