Hi Guys,
i just wanna share my experience with let's encrypt.
the Cron job to renew the certificate appearntly is not working.
i have disabled the job and reanbled it to generate the new certificate.
after this done the certificate become valid.
EFA Let's Encrypt
EFA Let's Encrypt
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: EFA Let's Encrypt
Good to know. I will check and try to find out what is happening with the cron job.
Re: EFA Let's Encrypt
Today is the 3rd box SSL has been failed,
enabling it and disabling it solved the problem.
just wanna share it.
enabling it and disabling it solved the problem.
just wanna share it.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: EFA Let's Encrypt
Looking at the script that generates the crontab, there is a bug in the certbot cron job.
Specifically, certbot will require you to restart the applications after the certificate is renewed. That's why it appears not to work. You need a post-hook to restart httpd (and any other services).
On other systems I do this by the following files/scripts:
Note that I restart postfix because, IMHO, postfix should accept TLS-based email and will need to be restarted when the certificate is renewed. I don't know if EFA configures that itself, but IMHO it should!
Specifically, certbot will require you to restart the applications after the certificate is renewed. That's why it appears not to work. You need a post-hook to restart httpd (and any other services).
On other systems I do this by the following files/scripts:
Code: Select all
# cat /etc/cron.weekly/certbot
/usr/bin/certbot renew --quiet --pre-hook /usr/local/bin/certbot-pre --post-hook /usr/local/bin/certbot-post
# cat /usr/local/bin/certbot-pre
#!/bin/sh
/usr/bin/firewall-cmd --add-service http
# cat /usr/local/bin/certbot-post
#!/bin/sh
/usr/bin/firewall-cmd --remove-service http
/usr/sbin/service httpd force-reload
/usr/sbin/service postfix restart
Re: EFA Let's Encrypt
One more bug in EFA's Let's Encrypt integration.
When I enabled it, it created the new certificate but didn't restart httpd to have it take effect. I had to do that manually. Obviously this is related to the cert renewal issue above.
And, of course, even though postfix is configured for TLS, it does not use the L.E. key/certificate.
When I enabled it, it created the new certificate but didn't restart httpd to have it take effect. I had to do that manually. Obviously this is related to the cert renewal issue above.
And, of course, even though postfix is configured for TLS, it does not use the L.E. key/certificate.
Re: EFA Let's Encrypt
Hi,
I tracked down another certbot cron issue (see my post about the cron getpwnam errors).
Specifically, /etc/cron.d/certbotrenew is broken -- it's missing the username to run the script as.
I tracked down another certbot cron issue (see my post about the cron getpwnam errors).
Specifically, /etc/cron.d/certbotrenew is broken -- it's missing the username to run the script as.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: EFA Let's Encrypt
Testing now. I left off the port 80 on/off becuase port 80 is open by default on eFa4 to redirect to https, but I think I will test port 80 and then toggle it, but only if it is off to start with.
Re: EFA Let's Encrypt
I think it's safe to just leave that off if you think 80 is always open. But yeah, if 80 is off, you might need to open and close it, but I don't know how best to toggle that within the scripts.shawniverson wrote: ↑28 Jul 2019 15:31 Testing now. I left off the port 80 on/off becuase port 80 is open by default on eFa4 to redirect to https, but I think I will test port 80 and then toggle it, but only if it is off to start with.