Suggestions about cert renewal

joe_hayward · April 29, 2017, 6:19pm

Mailinabox is an awesome tool!! Thanks for making it available!!

A couple of suggestions about cert renewal:

There’s no reason to attempt to renew certs every night, once or twice a week is sufficient. Letsencrypt will allow renewals 30 days ahead of expiration, so renewal attempts once a week would have 3 or 4 opportunities to work on a weekly renewal schedule. The problem with attempting renewal every night, is if it fails - in my case because my DNS servers are external to the box - then I can’t fix it manually myself because Letsencrypt won’t allow more than 5 attempts in a week to renew. So I was blocked from manually fixing the problems myself and and had to disable your nightly attempt for several days.
If a box has DNS configured on external servers, could you NOT attempt cert renewal using DNS?
The easiest way I’ve found to do Letsencrypt renewals without DNS is:
/etc/init.d/nginx stop
certbot-auto certonly -n --standalone -d servername.domainName
/etc/init.d/nginx start
Only takes a couple of seconds to run - downtime is minimal and it works very reliably.

Thanks again for the great project!!

JoshData · April 30, 2017, 11:52am

We attempt renewal between 14 and 30 days ahead of expiration:

github.com

mail-in-a-box/mailinabox/blob/main/management/ssl_certificates.py#L200


      
          
          	domains_to_provision = set()
          	domains_cant_provision = { }
          
          	for domain in plausible_web_domains:
          		# Skip domains that the user doesn't want to provision now.
          		if limit_domains and domain not in limit_domains:
          			continue
          
          		# Check that there isn't an explicit A/AAAA record.
          		if domain not in actual_web_domains:
          			domains_cant_provision[domain] = "The domain has a custom DNS A/AAAA record that points the domain elsewhere, so there is no point to installing a TLS certificate here and we could not automatically provision one anyway because provisioning requires access to the website (which isn't here)."
          
          		# Check that the DNS resolves to here.
          		else:
          
          			# Does the domain resolve to this machine in public DNS? If not,
          			# we can't do domain control validation. For IPv6 is configured,
          			# make sure both IPv4 and IPv6 are correct because we don't know
          			# how Let's Encrypt will connect.
          			bad_dns = []

As long as there are 3 or 4 attempts, I’m fine with reducing the frequency.

If a box has DNS configured on external servers, could you NOT attempt cert renewal using DNS?

One has nothing to do with the other. Cert renewal on the box does not require that DNS be hosted on the box. (We use HTTP validation.)