[exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice rando…

Top Page
Delete this message
Reply to this message
Author: Slavko
Date:  
To: exim-users
Subject: [exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.
Dňa 19. novembra 2023 19:33:12 UTC používateľ Viktor Dukhovni via Exim-users <exim-users@???> napísal:

>It is possible for the path unit to fail to run, but the ACME client
>believes it is done. Does systemd's path unit guarantee "at least once"
>execution.


ACME client doesn't need (nor is) to know about that. The cert is
renewed on another host (container), it is placed to one dir on
target host after renew and that is all for certbot. Then systemd
path's unit is activated locally and cert will be copied to final place.

Sure, it's execution can fail. Systemd has ability to restart its services
in case of non-success return code, but now i am not sure if that will
happen with units triggered by path (or similar) unit, i add that to my
ToDo (to try/verify it). Anyway, if unit fails:

a) monitoring will alert me about failed systemd unit
b) the old certificate will stay in place
c) soon or latter monitoring will alert me about expiring cert
d) if my script fails, its unit fails and a) will happen

Alerts are repeated (hourly for systemd units and daily for expiration)
until solved. As LE certs are renewed 30 days before expiration,
enough time to solve the problem. Various problems happened
already (over years), including cert renew, that monitoring/alerting
works for me.

>I called that "gating" in the linked thread. You're (at least compared
>to most :-) a sophisticated user.


Or more simple, i am aware of "Murphy law": "If something can
fail, it will fail, and if something cannot fail, it will fail too" (raw
translation) :-)

>    * Staging a future key, that the ACME client will conditionally
>      switch to, once the TLSA record is live.


Do you mean opposite of usual certbot logic: first generate key, then
setup TLSA for it, and after that request certificate for/with that key?

>    * Avoiding reliance on "certbot" hooks, which (last I checked) don't
>      guarantee "at least once" execution.


Do you mean ability to rerun hook if it fails? Or do you mean, that
certbot can skip/fail to run hook after renew at all?

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/