Page 1 of 1

EFA Let's Encrypt

Posted: 26 Apr 2019 11:05
by jamerson
Hi Guys,
i just wanna share my experience with let's encrypt.
the Cron job to renew the certificate appearntly is not working.
i have disabled the job and reanbled it to generate the new certificate.

after this done the certificate become valid.

Re: EFA Let's Encrypt

Posted: 26 Apr 2019 18:45
by shawniverson
Good to know. I will check and try to find out what is happening with the cron job.

Re: EFA Let's Encrypt

Posted: 06 May 2019 11:51
by jamerson
Today is the 3rd box SSL has been failed,
enabling it and disabling it solved the problem.
just wanna share it.

Re: EFA Let's Encrypt

Posted: 16 May 2019 21:28
by warlord
Looking at the script that generates the crontab, there is a bug in the certbot cron job.
Specifically, certbot will require you to restart the applications after the certificate is renewed. That's why it appears not to work. You need a post-hook to restart httpd (and any other services).
On other systems I do this by the following files/scripts:

Code: Select all

# cat /etc/cron.weekly/certbot
/usr/bin/certbot renew  --quiet --pre-hook /usr/local/bin/certbot-pre --post-hook /usr/local/bin/certbot-post

# cat /usr/local/bin/certbot-pre
#!/bin/sh
/usr/bin/firewall-cmd --add-service http

# cat /usr/local/bin/certbot-post
#!/bin/sh
/usr/bin/firewall-cmd --remove-service http
/usr/sbin/service httpd force-reload
/usr/sbin/service postfix restart
Note that I restart postfix because, IMHO, postfix should accept TLS-based email and will need to be restarted when the certificate is renewed. I don't know if EFA configures that itself, but IMHO it should!

Re: EFA Let's Encrypt

Posted: 17 May 2019 18:00
by warlord
One more bug in EFA's Let's Encrypt integration.
When I enabled it, it created the new certificate but didn't restart httpd to have it take effect. I had to do that manually. Obviously this is related to the cert renewal issue above.
And, of course, even though postfix is configured for TLS, it does not use the L.E. key/certificate.

Re: EFA Let's Encrypt

Posted: 31 May 2019 20:01
by warlord
Hi,
I tracked down another certbot cron issue (see my post about the cron getpwnam errors).
Specifically, /etc/cron.d/certbotrenew is broken -- it's missing the username to run the script as.

Re: EFA Let's Encrypt

Posted: 28 Jul 2019 15:31
by shawniverson
Testing now. I left off the port 80 on/off becuase port 80 is open by default on eFa4 to redirect to https, but I think I will test port 80 and then toggle it, but only if it is off to start with.

Re: EFA Let's Encrypt

Posted: 29 Jul 2019 14:08
by warlord
shawniverson wrote: 28 Jul 2019 15:31 Testing now. I left off the port 80 on/off becuase port 80 is open by default on eFa4 to redirect to https, but I think I will test port 80 and then toggle it, but only if it is off to start with.
I think it's safe to just leave that off if you think 80 is always open. But yeah, if 80 is off, you might need to open and close it, but I don't know how best to toggle that within the scripts.