Dňa 19. novembra 2023 19:33:12 UTC používateľ Viktor Dukhovni via Exim-users <[email protected]> napísal:
>It is possible for the path unit to fail to run, but the ACME client >believes it is done. Does systemd's path unit guarantee "at least once" >execution. ACME client doesn't need (nor is) to know about that. The cert is renewed on another host (container), it is placed to one dir on target host after renew and that is all for certbot. Then systemd path's unit is activated locally and cert will be copied to final place. Sure, it's execution can fail. Systemd has ability to restart its services in case of non-success return code, but now i am not sure if that will happen with units triggered by path (or similar) unit, i add that to my ToDo (to try/verify it). Anyway, if unit fails: a) monitoring will alert me about failed systemd unit b) the old certificate will stay in place c) soon or latter monitoring will alert me about expiring cert d) if my script fails, its unit fails and a) will happen Alerts are repeated (hourly for systemd units and daily for expiration) until solved. As LE certs are renewed 30 days before expiration, enough time to solve the problem. Various problems happened already (over years), including cert renew, that monitoring/alerting works for me. >I called that "gating" in the linked thread. You're (at least compared >to most :-) a sophisticated user. Or more simple, i am aware of "Murphy law": "If something can fail, it will fail, and if something cannot fail, it will fail too" (raw translation) :-) > * Staging a future key, that the ACME client will conditionally > switch to, once the TLSA record is live. Do you mean opposite of usual certbot logic: first generate key, then setup TLSA for it, and after that request certificate for/with that key? > * Avoiding reliance on "certbot" hooks, which (last I checked) don't > guarantee "at least once" execution. Do you mean ability to rerun hook if it fails? Or do you mean, that certbot can skip/fail to run hook after renew at all? regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
