search

solid / solidcommunity.net

Operational issue tracking for solidcommunity.net
https://solidcommunity.net
MIT License
21 stars 3 forks source link

Check certificate renewal #18

Open justinwb opened 3 years ago

justinwb commented 3 years ago

Ensure that certbot renewal is in place and functioning correctly.

bourgeoa commented 3 years ago

It would be nice to have an automatic renewal of lets'encrypt certificates.

I followed gandi plugin issue and it seems that this plugin https://github.com/obynio/certbot-plugin-gandi has been updated and is working again. May be it is usable for automatic certs updates followed with a restart of solidcommunity.net and solidcommunity.net:8443.

bourgeoa commented 3 years ago

let'encrypt certificates renewal every 3 months :

bourgeoa commented 1 year ago

systemd contains /lib/systemd/system/certbot.timer which makes an automatic certbot renewal every 2 months. The renewal configuration files are located in /etc/letsencrypt/renewal/

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/solidcommunity.net
cert = /etc/letsencrypt/live/solidcommunity.net/cert.pem
privkey = /etc/letsencrypt/live/solidcommunity.net/privkey.pem
chain = /etc/letsencrypt/live/solidcommunity.net/chain.pem
fullchain = /etc/letsencrypt/live/solidcommunity.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = *******************
pref_challs = dns-01,
authenticator = certbot-plugin-gandi:dns
certbot_plugin_gandi:dns_credentials = /etc/letsencrypt/gandi.ini
server = https://acme-v02.api.letsencrypt.org/directory

The remaining issue is to restart the servers pm2 restart all after an update of the certs. An every 3 weeks cron job would do the trick.

# restart on monday every 3 weeks at 1am to eventually update the certs that are renewed with systemd every 2 months
0 1 * * 6 [[ $(("( $(date +%s) - $(date +%s --date=20220606) ) / 86400 % 21")) -eq  0 ]] && pm2 restart all

done

csarven commented 1 year ago

For my personal stuff, I have a daily cron that checks whether certificates are due for renewal, e.g.

0 0    * * * user certbot -n renew

And if the day falls into a period where renewals are possible, it will attempt to renew - this is well ahead of it possibly ever expiring.

bourgeoa commented 1 year ago

the use of Ubuntu snap for certbot is taking too much RAM resources. snapd is running in the background and when updating certbot this creates memory swaps. https://matrix.to/#/!VAJLTawStGAyYwzTTY:gitter.im/$O4l4ActnrIWDRQ7zDucSVOMWY_sSb4f85NFJSdJz65E?via=gitter.im&via=matrix.org

This could be avoided using https://askubuntu.com/questions/1045542/how-to-stop-snapd-from-auto-updating