DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th June 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,992
Default Reducing letsencrypt.org SSL certificate renewal requests

letsencrypt.org provides free SSL certificates using the ACME protocol. Because these certificates only are valid for 90 days. they have to be renewed. This renewal can be automated with a cron(8) job.

All tutorials I have seen show an entry in the crontab(5) table/configuration file for daily renewal requests. I find that kind of silly. Although you can a do a certificate renewal request whenever you want, the cert will only will be actually renewed if it is less than 30 days old.

On OpenBSD my entry for a cert renewal request with acme-client(1) every 8 days looks like this:
Code:
# crontab -l
[snip]
# ------------------------------------------ 
# renew letsencrypt certificate every 8 days
# ------------------------------------------ 
#minute hour    mday    month   wday    [flags] command
# the following line with '8~52' always runs at 14:17 ..... So try something new
#8~52   14      */8     *       *       acme-client -v siralas.nl && rcctl reload relayd
31~59   14      */8     *       *       acme-client -v siralas.nl && rcctl reload relayd
Please note that I use relayd(8) to provide to do the TLS de/encryption for the webserver. So when the certificate has been renewed, relayd(8) has to be reloaded to use the new fresh certiticate.

An overview of the emails that are sent after the cronjob has run"
Code:
71 Feb  1    Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
72 Feb  9    Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
73 Feb 17    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
74 Feb 25    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd

75 Mar  1    Cron Daemon (781) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
76 Mar  9    Cron Daemon  (4K) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
77 Mar 17    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
78 Mar 25    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd

79 Apr  1    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
80 Apr  9    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
81 Apr 17    Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
82 Apr 25    Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd

83 May  1    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
84 May  9    Cron Daemon  (4K) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
85 May 17    Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
86 May 25    Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd

87 Jun  1    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
88 Jun  9    Cron Daemon (783) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
89 Jun 17    Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
90 Saturday  Cron Daemon (785) Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd
Most of the time these emails are only about 780 chars long. Because of the verbose -v option the email has a size of about 4K when the cert has been renewed.

At the first day of every month the 8 day cycle is restarted. Keep this in mind, If you would like to use a different cycle.

The contents of the April 1st mail:
Code:
Date: Fri, 1 Apr 2022 14:17:02 +0200 (CEST)
From: Cron Daemon <root@nedrag.siralas.nl>
To: root@nedrag.siralas.nl
Subject: Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd

acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 66 days
left
The following emails (editied for brevity):
Code:
Date: Sun, 17 Apr 2022 14:17:01 +0200 (CEST)
acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 50 days
left

Date: Mon, 25 Apr 2022 14:17:01 +0200 (CEST)
acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 42 days
left

Date: Sun, 1 May 2022 14:17:01 +0200 (CEST)
acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate valid: 36 days
left
The next mail of May 9 reports a renewal because 28 days is less than 30.

Code:
Date: Mon, 9 May 2022 14:17:01 +0200 (CEST)
From: Cron Daemon <root@nedrag.siralas.nl>
To: root@nedrag.siralas.nl
Subject: Cron <root@nedrag> acme-client -v siralas.nl && rcctl reload relayd

acme-client: /etc/ssl/siralas.nl.fullchain.pem: certificate renewable: 28
days left
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
[snip]
acme-client: order.status 3
acme-client:
https://acme-v02.api.letsencrypt.org/acme/cert/04a99a960ec3ea0f03a1a1713afe1
0918189: certificate
acme-client: /etc/ssl/siralas.nl.fullchain.pem: created
relayd(ok)
BTW The proper way to edit crontab(5) is, having root powers, to use the command: # crontab -e
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
httpd.conf serving /location requests toprank OpenBSD General 4 14th March 2018 11:30 AM
Letsencrypt not working ed.n1n2 OpenBSD General 12 5th May 2017 06:54 AM
Git 1.7.9 offers more secure modification requests J65nko News 0 30th January 2012 08:18 PM
Routing internal requests to external IPs jdude FreeBSD General 1 9th July 2009 07:25 AM


All times are GMT. The time now is 02:55 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick