The "cleanup" cron job for the user _honk will run in HOME which is /var/honk
If another user runs that cron job, set HOME=/var/honk or `cd /var/honk && honk cleanup` or `honk -datadir /var/honk cleanup` and .db permission On September 28, 2022 4:57:51 PM UTC, "Gonzalo L. Rodriguez" <gonz...@x61.sh> wrote: >On Wed, 21 Sep 2022 at 10:49:27 -0400, Horia Racoviceanu wrote: >> ping >> >> On 9/16/22, Horia Racoviceanu <ho...@racoviceanu.com> wrote: >> > - Changed the certificate renewal cron job based on the OCSP staple >> > interval for letsencrypt (for buypass it should be changed to run >> > every 7th hour) and based on the update steps listed by Stuart >> > - Replaced VARBASE with LOCALSTATEDIR >> > >> > I'd like to keep the acme-client and ocspcheck configuration in the >> > port README because I know some less OpenBSD savvy people who >> > installed the Honk package. >> > >> > On 7/31/22, Christoph Roland Winter <me@the.floof.rocks> wrote: >> >> BTW what you think about a section in the FAQ about httpd, relayd, >> >> acme-client for all web applications. >> >> >> >> Am 31.07.22 um 13:12 schrieb Stuart Henderson: >> >>> 1. The staple needs to be updated periodically >> >>> >> >>> 2. If the certificate is updated the staple needs to be updated too >> >>> >> >>> 3. If either the certificate or the staple are changed, relayd needs a >> >>> reload >> >>> >> >>> To be honest I'm not sure if it really belongs in the doc for some >> >>> random port in www, this applies to anyone using relayd to front-end a >> >>> web application. >> >>> >> >>> -- >> >>> Sent from a phone, apologies for poor formatting. >> >>> >> >>> >> >>> On 31 July 2022 02:16:13 Christoph Roland Winter <me@the.floof.rocks> >> >>> wrote: >> >>> >> >>>> Beside of this question, the idea of OCSP is >> >>>> >> >>>> By turning on OCSP Stapling, you can improve the performance of your >> >>>> website, provide better privacy protections for your users, and help >> >>>> Let’s Encrypt efficiently serve as many people as possible. >> >>>> >> >>>> https://letsencrypt.org/docs/integration-guide/ >> >>>> >> >>>> Is it better to update the OCSP file before it expires or update it >> >>>> only >> >>>> seldom (in this case the question is, whether it is not better to don't >> >>>> use OCSP). >> >>>> >> >>>> Am 31.07.22 um 00:33 schrieb Horia Racoviceanu: >> >>>>> I've switched the cron job to chaining acme-client && ocspcheck on >> >>>>> June 20. >> >>>>> Both the certificate and the OCSP response were last updated on June >> >>>>> 20. >> >>>>> >> >>>>> # ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt} >> >>>>> ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20 >> >>>>> 05:46:59 2022 >> >>>>> >> >>>>> relayd and Firefox do not complain. >> >>>>> >> >>>>> ssllabs.com reports: >> >>>>> >> >>>>> OCSP Must Staple No >> >>>>> OCSP stapling Yes >> >>>>> OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC >> >>>>> 2022 >> >>>>> >> >>>>> Can the OCSP STAPLING ERROR be ignored? >> >>>>> >> >>>>> On 7/30/22, Christoph Roland Winter <me@the.floof.rocks> wrote: >> >>>>>> Welcome. >> >>>>>> >> >>>>>> The question is then, why the OCSP staple file expires after hours or >> >>>>>> 7 >> >>>>>> days and the certificate will be renewed after 60 days following man >> >>>>>> 1 >> >>>>>> acme-client >> >>>>>> >> >>>>>> -F Force certificate renewal, even if it has more than 30 days >> >>>>>> validity. >> >>>>>> >> >>>>>> It can't be the idea to have so long a expired OCSP file (saw Firefox >> >>>>>> in >> >>>>>> the past complain when a outdated OCSP file exists). So, if you >> >>>>>> replace >> >>>>>> the first && with a ; nothing will change as the last && to reload >> >>>>>> relayd will only happen if the cert or the OCSP file (or both) was >> >>>>>> renewed and if booth are up to date nothing will happen. >> >>>>>> >> >>>>>> Just my 2 cents. >> >>>>>> >> >>>>>> Regards, >> >>>>>> >> >>>>>> >> >>>>>> Christoph >> >>>>>> >> >>>>>> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu: >> >>>>>>> Thanks for testing! >> >>>>>>> >> >>>>>>> As Stuart Henderson mentioned, >> >>>>>>>> You do really want to update OCSP if a cert has been renewed. >> >>>>>>> >> >>>>>>> On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote: >> >>>>>>>> Hello, >> >>>>>>>> >> >>>>>>>> I have only kept the first message and was some time not subscribed >> >>>>>>>> to >> >>>>>>>> the list - lets see, where the message ends. >> >>>>>>>> >> >>>>>>>> I tried the latest patch from >> >>>>>>>> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it >> >>>>>>>> worked >> >>>>>>>> fine using >> >>>>>>>> >> >>>>>>>> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 >> >>>>>>>> and the >> >>>>>>>> -current ports tree using amd64. >> >>>>>>>> >> >>>>>>>> Maybe I am wrong but the crontab from the above patch >> >>>>>>>> >> >>>>>>>> +~ ~ * * * acme-client honk.example.com && ocspcheck -No >> >>>>>>>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload >> >>>>>>>> relayd >> >>>>>>>> >> >>>>>>>> needs to be modified. The first && must be replaced with ; (or >> >>>>>>>> splited >> >>>>>>>> in 2 cron jobs). As it is now, the ocsp file gets only renewed all >> >>>>>>>> 60 >> >>>>>>>> days, as acme-client renews the certificate only 30 days before it >> >>>>>>>> expires (checked with the -v option and as nothing happened before, >> >>>>>>>> && >> >>>>>>>> stops at this point). BTW my ocsp file with the above command is >> >>>>>>>> valid >> >>>>>>>> for 7 days. >> >>>>>>>> >> >>>>>>>> ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt} >> >>>>>>>> Using http to host r3.o.lencr.org, port 80, path / >> >>>>>>>> OCSP response validated from r3.o.lencr.org >> >>>>>>>> This Update: Thu Jul 28 15:00:00 2022 >> >>>>>>>> Next Update: Thu Aug 4 14:59:58 2022 >> >>>>>>>> >> >>>>>>>> The only thing I did was using the /etc/examples/acme-client.conf >> >>>>>>>> file, >> >>>>>>>> added my email and added the domain blocks. >> >>>>>>>> >> >>>>>>>> Regards, >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> Christoph >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> Am 01.06.22 um 23:37 schrieb Horia Racoviceanu: >> >>>>>>>>> Upgrade to v0.9.8 >> >>>>>>>>> - Add MESSAGE >> >>>>>>>>> - Update README >> >>>>>>>>> >> >>>>>>>>> changelog >> >>>>>>>>> >> >>>>>>>>> === 0.9.8 Tentative Tentacle >> >>>>>>>>> >> >>>>>>>>> + Switch database to WAL mode. >> >>>>>>>>> >> >>>>>>>>> - go version 1.16 required. >> >>>>>>>>> >> >>>>>>>>> + Specify banner: image in profile. >> >>>>>>>>> >> >>>>>>>>> + Update activity compatibility with mastodon. >> >>>>>>>>> >> >>>>>>>>> - Signed fetch. >> >>>>>>>>> >> >>>>>>>>> + Better unicode hashtags. >> >>>>>>>>> >> >>>>>>>>> + Some more configuration options. >> >>>>>>>>> >> >>>>>>>>> + Some UI improvements to web interface. >> >>>>>>>>> >> >>>>>>>>> + Add atme class to mentions >> >>>>>>>>> >> >>>>>>>>> + Improvements to the mastodon importer. >> >>>>>>>>> >> >>>>>>>>> + More hydration capable pages. >> >>>>>>>>> >> >>>>>>>>> + Support for local.js. >> >>>>>>>>> >> >>>>>>>>> + Better error messages for timeouts. >> >>>>>>>>> >> >>>>>>>>> + Some improved html and markdown. >> >>>>>>>> >> >>>>>> >> >>> >> >> >> > >> > >Asking as a new user, that cronjob to "cleanup" won't fail without the .db in >that PATH? >
