On Sun, Nov 19, 2023 at 09:33:37PM +0000, Slavko via Exim-users wrote:
> > * Staging a future key, that the ACME client will conditionally
> > switch to, once the TLSA record is live.
>
> Do you mean opposite of usual certbot logic: first generate key, then
> setup TLSA for it, and after that request certificate for/with that key?
Generate a staged key, that sits there, unused, waiting for TLSA records
to appear, and once that has been in place long enough, obtain a cert
for the new key, otherwise, in the mean time keep using the old key.
> > * Avoiding reliance on "certbot" hooks, which (last I checked) don't
> > guarantee "at least once" execution.
>
> Do you mean ability to rerun hook if it fails? Or do you mean, that
> certbot can skip/fail to run hook after renew at all?
I mean "at least once" successful execution, so yes, rerun on failure,
or even if the hook never got to run at all, because the system rebooted
before it got a chance to run, but the new cert was alread obtained.
Of course with alerts any time the hook fails. When I looked, I found
no code in certbot that ensured at least once execution of hooks, so
(per Murphy's Law) they're unreliable, and a better approach is needed.
--
Viktor.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/