Open justinwb opened 3 years ago
It would be nice to have an automatic renewal of lets'encrypt certificates.
I followed gandi plugin issue and it seems that this plugin https://github.com/obynio/certbot-plugin-gandi has been updated and is working again. May be it is usable for automatic certs updates followed with a restart of solidcommunity.net and solidcommunity.net:8443.
let'encrypt certificates renewal every 3 months :
systemd contains /lib/systemd/system/certbot.timer
which makes an automatic certbot renewal every 2 months.
The renewal configuration files are located in /etc/letsencrypt/renewal/
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/solidcommunity.net
cert = /etc/letsencrypt/live/solidcommunity.net/cert.pem
privkey = /etc/letsencrypt/live/solidcommunity.net/privkey.pem
chain = /etc/letsencrypt/live/solidcommunity.net/chain.pem
fullchain = /etc/letsencrypt/live/solidcommunity.net/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = *******************
pref_challs = dns-01,
authenticator = certbot-plugin-gandi:dns
certbot_plugin_gandi:dns_credentials = /etc/letsencrypt/gandi.ini
server = https://acme-v02.api.letsencrypt.org/directory
The remaining issue is to restart the servers pm2 restart all
after an update of the certs.
An every 3 weeks cron job would do the trick.
# restart on monday every 3 weeks at 1am to eventually update the certs that are renewed with systemd every 2 months
0 1 * * 6 [[ $(("( $(date +%s) - $(date +%s --date=20220606) ) / 86400 % 21")) -eq 0 ]] && pm2 restart all
done
For my personal stuff, I have a daily cron that checks whether certificates are due for renewal, e.g.
0 0 * * * user certbot -n renew
And if the day falls into a period where renewals are possible, it will attempt to renew - this is well ahead of it possibly ever expiring.
the use of Ubuntu snap
for certbot
is taking too much RAM resources. snapd
is running in the background and when updating certbot
this creates memory swaps. https://matrix.to/#/!VAJLTawStGAyYwzTTY:gitter.im/$O4l4ActnrIWDRQ7zDucSVOMWY_sSb4f85NFJSdJz65E?via=gitter.im&via=matrix.org
This could be avoided using https://askubuntu.com/questions/1045542/how-to-stop-snapd-from-auto-updating
Ensure that certbot renewal is in place and functioning correctly.