Just another Homlish Blog Sites site
HomlishCA
see https://blog.homlish.net/technology/?p=714&preview=true for revocations
defines CRL Endpoints:
Distribution Point http://www.homlish.net/ssl/homlishCA.crl
Owner & permissions
for the directory a0:/usr3/homlishCA, let’s define an owner
let’s encrypt
debian installs an old version of certbot
2021-06-29:
root@a0:/etc/letsencrypt# certbot –version
certbot 0.31.0
so we downloaded from git:
root@a0:/etc/letsencrypt# /home/phomlish/certbot/venv3/bin/certbot –version
certbot 1.15.0
certbot renewals are running from:
root@a0:/etc/letsencrypt# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven’t been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /home/phomlish/certbot/venv3/bin/certbot -a \! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && /home/phomlish/certbot/venv3/bin/certbot -q renew
but it seems maybe I am running certbot.timer
root@a0:/etc/letsencrypt# systemctl status certbot.timer
● certbot.timer – Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Tue 2021-06-29 00:27:05 EDT; 17min ago
Trigger: Tue 2021-06-29 13:20:59 EDT; 12h left
Jun 29 00:27:05 a0 systemd[1]: Stopped Run certbot twice daily.
Jun 29 00:27:05 a0 systemd[1]: Stopping Run certbot twice daily.
Jun 29 00:27:05 a0 systemd[1]: Started Run certbot twice daily.
I had trouble finding the file:
/etc/systemd/system/certbot-renewal.service
they were hiding here:
/usr/lib/systemd/system/certbot.service
/usr/lib/systemd/system/certbot.timer
systemctl restart certbot.timer
systemctl restart certbot.service
# this will show hosts:
openssl x509 -in fullchain.pem -text
# DNS:blog.homlish.net, DNS:homlish.net, DNS:joesfigtrees.com, DNS:mail.homlish.net, DNS:mail.joesfigtrees.com, DNS:pjhiii.homlish.net, DNS:recipes.homlish.net, DNS:www.homlish.net, DNS:www.joesfigtrees.com
certbot certonly –webroot –dry-run -d secure.homlish.net /usr3/web/http/
****** homlish-net
certbot certonly –webroot -w /usr3/web/http –dry-run \
-d homlish.net \
-d blog.homlish.net \
-d mail.homlish.net \
-d pjhiii.homlish.net \
-d recipes.homlish.net \
-d www.homlish.net
certbot certonly –webroot -w /usr3/web/http \
-d homlish.net \
-d blog.homlish.net \
-d mail.homlish.net \
-d pjhiii.homlish.net \
-d recipes.homlish.net \
-d www.homlish.net
certbot certonly –webroot -w /usr3/web/http/ –dry-run \
-d mydetv.com,www.mydetv.com \
-d swarm.mydetv.com,swarm.dev.mydetv.com,swarm.local.mydetv.com,swarm.staging.mydetv.com \
-d mail.mydetv.com \
-d mydelawaretv.com,www.mydelawaretv.com,mail.mydelawaretv.com
certbot certonly –webroot -w /usr3/web/http/ \
-d mydetv.com,www.mydetv.com \
-d swarm.mydetv.com,swarm.dev.mydetv.com,swarm.local.mydetv.com,swarm.staging.mydetv.com \
-d mail.mydetv.com \
-d mydelawaretv.com,www.mydelawaretv.com,mail.mydelawaretv.com
sudo certbot delete –cert-name mydelawaretv.com
certbot certonly –webroot -w /usr3/web/http/ –dry-run -d jplay.homlish.net -d jukebox.homlish.net
certbot certonly –webroot -w /usr3/web/http/ -d jplay.homlish.net -d jukebox.homlish.net
certbot certonly –webroot -w /usr3/web/http/ -d grafana.homlish.net