SoylentNews is people
SoylentNews
Arstechnica reports
In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains. Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.
[....]Many hosting providers already support the registration of Let's Encrypt certificates to varying degrees. But Let's Encrypt's free certificate offering hasn't been snapped up by some larger hosting providers—such as GoDaddy—who also sell SSL certificates to their customers.
(Score: 2) by Whoever on Wednesday March 14 2018, @03:28PM (3 children)
Weekly?
It isn't too difficult to write a script that looks at the expiry date and renews the certs when they are about to expire. Alternatively, monthly is fine.
(Score: 2) by lentilla on Wednesday March 14 2018, @04:44PM
It's not that it's too difficult to write a script, it's just that it's so very easy to get wrong.
With cronjobs (and their ilk) there are so many failure modes to consider, and each further test you incorporate needs to be validated in its own right and adds another potential point of failure. Having an automated process isn't like having a personal assistant who'll pipe and and say "hey, boss, I couldn't renew our certificate this week" and has enough smarts to call you on the telephone if you don't reply to an email.
Like you said, it's not difficult, but writing cronjobs is an exercise in abundant caution.
(Score: 5, Informative) by bryan on Wednesday March 14 2018, @05:03PM
The ACME client itself will take care of this. You simply run the certbot command in a cron job as often as you want and it only renews certs that are close to the expiration date. Example output:
(Score: 2) by TheRaven on Thursday March 15 2018, @08:37AM
By default, acme-client will only renew certs that are within 30 days of expiring, so a weekly cron job means that it will typically have 3 attempts to renew that can fail before you actually suffer from problems. I realised that I'd left -F in my acme-client.sh from debugging, so mine was actually renewing the certs every week. I was still well below the threshold for rate limiting by Let's Encrypt, so there isn't really a down side of doing this.
Without the -F, there isn't really a reason not to run the cron job nightly - it will skip certs that are still a long way from expiring and you then have 30 attempts for the cron job to fail before your users notice anything.
sudo mod me up