<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Feb 29, 2016 at 10:53 PM, Bernie Innocenti <<a href="mailto:bernie@codewiz.org" target="_blank">bernie@codewiz.org</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Great, thanks for taking care of this and for the update. Dumb question: which letsencrypt client are we using? There are a number of options: <a href="https://community.letsencrypt.org/t/list-of-client-implementations/2103" rel="noreferrer" target="_blank">https://community.letsencrypt.org/t/list-of-client-implementations/2103</a></blockquote><div> </div><div>We are using the official one.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> A couple of weeks ago, I wanted to setup letsencrypt for <a href="http://codewiz.org" rel="noreferrer" target="_blank">codewiz.org</a>, but the official one seemed quite overengineered, so I tried letsencrypt-nosudo instead. The problem with the nosudo script is that it's designed for interactive renewal when the user key is kept offline (a prudent measure, but I'm too lazy for that :-).</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> The next ones I'd like to try are: <a href="https://github.com/kuba/simp_le" rel="noreferrer" target="_blank">https://github.com/kuba/simp_le</a> <a href="https://github.com/lukas2511/letsencrypt.sh" rel="noreferrer" target="_blank">https://github.com/lukas2511/letsencrypt.sh</a> </blockquote><div>I would also like to try the first one.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> Anyway, I'm shocked by how many weird ways exist to do something as simple as generating an SSL certificate and getting it signed by a CA with a challenge. What are your impressions? </blockquote><div> </div><div>Agree. This is the reason because exists a lot of "tiny" and "simple" clients out there. The official one is doing a lot of things.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> On 02/29/2016 11:04 AM, Samuel Cantero wrote: > Hi, > > I was testing our access to the .well-known/acme-challenge directory for > www.slo and nagios.slo. LE must have access to this directory in order > to validate the domain with a set of challenges (in this case > provisioning an HTTP resource under this URI). This access wasn't > working. I fixed it for http and https. Now, we are also forcing https > for all pages except domain/.well/known-challenge. It was forcing https > for all pages. > > In addition, sometime ago we defined in nginx the same directory for the > acme-challenge for both domains but we forgot to set the same webroot in > the LE config file for each domain. I also fixed this. > > I tested all this config with the nagios domain and the certificate was > renewed successfully. I also changed in the renewal script the renewal > time. We defined to renew the SSL certificate 15 days before the > expiration day. I changed this to 30 in order to validate the process > with the www.slo domain in 3 days. www.slo certificate was issued on > January 3 and is going to expire on April 2. > > Best regards, > > Samuel C. > > On Fri, Feb 26, 2016 at 10:56 PM, Bernie Innocenti <<a href="mailto:bernie@codewiz.org" target="_blank">bernie@codewiz.org</a> > <mailto:<a href="mailto:bernie@codewiz.org" target="_blank">bernie@codewiz.org</a>>> wrote: > > Sam, could you make the renew-certs-le not produce any output when > everything goes well and only nag if we need to fix something? > > -------- Forwarded Message -------- > Subject: Cron <root@freedom> test -x /usr/sbin/anacron || ( cd / && > run-parts --report /etc/cron.daily ) > Date: Fri, 26 Feb 2016 08:00:07 -0500 (EST) > From: Cron Daemon <<a href="mailto:root@freedom.sugarlabs.org" target="_blank">root@freedom.sugarlabs.org</a> > <mailto:<a href="mailto:root@freedom.sugarlabs.org" target="_blank">root@freedom.sugarlabs.org</a>>> > To: <a href="mailto:root@freedom.sugarlabs.org" target="_blank">root@freedom.sugarlabs.org</a> <mailto:<a href="mailto:root@freedom.sugarlabs.org" target="_blank">root@freedom.sugarlabs.org</a>> > > /etc/cron.daily/renew-certs-le: > The certificate for <a href="http://nagios.sugarlabs.org" rel="noreferrer" target="_blank">nagios.sugarlabs.org</a> > <<a href="http://nagios.sugarlabs.org" rel="noreferrer" target="_blank">http://nagios.sugarlabs.org</a>> is up to date, no need for > renewal (36 days left for renewal). > The certificate for <a href="http://sugarlabs.org" rel="noreferrer" target="_blank">sugarlabs.org</a> <<a href="http://sugarlabs.org" rel="noreferrer" target="_blank">http://sugarlabs.org</a>> is up to > date, no need for renewal (36 > days left for renewal). > /etc/cron.daily/wizbackup: > 1456488867:lightwave.sugarlabs.org:0:255 > run-parts: /etc/cron.daily/wizbackup exited with return code 1 > > > _______________________________________________ > Systems mailing list > <a href="mailto:Systems@lists.sugarlabs.org" target="_blank">Systems@lists.sugarlabs.org</a> <mailto:<a href="mailto:Systems@lists.sugarlabs.org" target="_blank">Systems@lists.sugarlabs.org</a>> > <a href="http://lists.sugarlabs.org/listinfo/systems" rel="noreferrer" target="_blank">http://lists.sugarlabs.org/listinfo/systems</a> > > -- _ // Bernie Innocenti \X/ <a href="http://codewiz.org" rel="noreferrer" target="_blank">http://codewiz.org</a> </blockquote></div> </div></div>