Blame
Date:
Wed Feb 1 05:00:29 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:68.0) Gecko/20100101 Firefox/68.0 SeaMonkey/2.53.11.1
03
2023-01-22
jrmu
author=mkf
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1656190137
07
2023-01-22
jrmu
host=5.238.168.196
08
2023-01-22
jrmu
name=Acme-client.AutoRenew
09
2023-01-22
jrmu
rev=4
10
2023-01-22
jrmu
targets=
11
2023-01-22
jrmu
text=(:title Automating acme-client Renewal:)%0a%0a[[http://man.openbsd.org/acme-client.1|acme-client's man page]] provides a nice simple crontab entry for common usage.%0a%0aThe following is for a mail server running @@dovecot@@ and NO @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a%0a%0a!! Shell script%0a%0aAs the use-case is not entirely trivial, we opted for a shell script. The output as it stands is fairly verbose, but again, this would be easy to tweak.%0aThis script is perhaps a little over-engineered and is open to improvement. It attempts to only do the necessary work and exit cleanly upon any error.%0a%0aCreate and edit @@/usr/local/bin/renew_cert@@ (or a filename of your choice - just remember to edit any later commands/files as necessary).%0aThe only essential change is to set @@%3cyour.domain>@@ appropriately.%0a%0a[@%0a#!/bin/ksh%0a%0a# Renew LetsEncrypt certificate(s) for the mail server domain(s)%0a# Returns%0a# 0: Success%0a# 1: Certificate up to date%0a# 2: Error%0a%0a# Print message to stdout or stderr%0a# Messages for stdout are marked [INFO], stderr are marked [ERROR]%0a# Expects%0a# $1: 1|2 (stdout|stderr)%0a# $2: Message text%0a# Silently fails if called badly%0aprint_msg() {%0a if [ $# -ne 2 ]; then%0a return%0a fi%0a if [ $1 == "stdout" ]; then%0a outfd=1%0a tag="[INFO]"%0a elif [ $1 == "stderr" ]; then%0a outfd=2%0a tag="[ERROR]"%0a else%0a return%0a fi%0a msg=$2%0a echo "${tag} ${msg}" >&$outfd%0a}%0a%0a# We need http server for acme-client to communicate with LetsEncrypt%0arcctl check httpd%0ahttpd_check=$?%0a%0a# Only start httpd if it's not already running%0aif [ $httpd_check -eq 1 ]; then%0a print_msg stdout "Starting httpd"%0a rcctl -f start httpd%0a if [ $? -ne 0 ]; then%0a print_msg stderr "Failed to start httpd"%0a exit 2%0a fi%0afi%0a%0a# Attempt to renew certificate%0aprint_msg "Renewing mail server certificate"%0aacme-client %3cyour.domain>%0aacme_check=$?%0a%0a# Only stop httpd if it was not already running%0aif [ $httpd_check -eq 1 ]; then%0a print_msg stdout "Stopping httpd"%0a rcctl stop httpd%0afi%0a%0aif [ $acme_check -eq 2 ]; then%0a print_msg stdout "Certificate up to date"%0a exit 1%0aelif [ $acme_check -eq 1 ]; then%0a print_msg stderr "Failed to renew certificate"%0a exit 2%0afi%0a%0aprint_msg stdout "Successfully renewed certificate"%0a%0a# Serve the new certificate%0aprint_msg stdout "Reloading dovecot"%0arcctl reload dovecot%0aif [ $? -gt 0 ]; then%0a print_msg stderr "Failed to reload dovecot"%0a exit 2%0afi%0a@]%0a%0a!!! Permissions%0a%0a@@#chmod 700 /usr/local/bin/renew_cert@@%0a%0a%0a!! cronjob%0a%0aLetsEncrypt will allow certificate renewal if the expiry is within 30 days. We us a simple cronjob to run our script fortnightly.%0a%0aOutput is piped to @@logger@@ to be written to the system log.%0a%0aWith your favourite text-editor (@@vim@@), create or append to @@/etc/weekly.local@@:%0a%0a[@%0atest 1 -eq $(($(date +\%25g) & 1)) && renew_cert | logger -t "[acme renewal]"%0a@]%0a%0aThe use of @@test@@ is because running this once every two weeks should be more than enough. The technique was found [[https://unix.stackexchange.com/a/197411 | here]] and seems reasonable.%0a%0aBy default @@logger@@ will likely output to @@/var/log/messages@@, but this can be confirmed by checking your @@/etc/syslog.conf@@.%0aYou may also direct @@logger@@ to output elsewhere; see @@-p@@ in [[http://man.openbsd.org/logger.1|logger's man page]].
12
2023-01-22
jrmu
time=1656849017
13
2023-01-22
jrmu
title=Automating acme-client Renewal
14
2023-01-22
jrmu
author:1656849017=mkf
15
2023-01-22
jrmu
diff:1656849017:1656190620:=3,7c3,7%0a%3c [[http://man.openbsd.org/acme-client.1|acme-client's man page]] provides a nice simple crontab entry for common usage.%0a%3c %0a%3c The following is for a mail server running @@dovecot@@ and NO @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a%3c %0a%3c %0a---%0a> @@$ man acme-client@@ provides a nice simple crontab entry for common usage.%0a> %0a> The following is for a mail server running @@dovecot@@ and no @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a> %0a> %0a112c112%0a%3c You may also direct @@logger@@ to output elsewhere; see @@-p@@ in [[http://man.openbsd.org/logger.1|logger's man page]].%0a\ No newline at end of file%0a---%0a> You may also direct @@logger@@ to output elsewhere; see @@-p@@ in @@$man logger@@.%0a\ No newline at end of file%0a
16
2023-01-22
jrmu
host:1656849017=5.238.168.196
17
2023-01-22
jrmu
author:1656190620=rahl
18
2023-01-22
jrmu
csum:1656190620=mini disclaimer
19
2023-01-22
jrmu
diff:1656190620:1656190237:minor=11d10%0a%3c This script is perhaps a little over-engineered and is open to improvement. It attempts to only do the necessary work and exit cleanly upon any error.%0a
20
2023-01-22
jrmu
host:1656190620=102.114.210.144
21
2023-01-22
jrmu
author:1656190237=rahl
22
2023-01-22
jrmu
csum:1656190237=Fix formatting
23
2023-01-22
jrmu
diff:1656190237:1656190137:minor=5c5%0a%3c The following is for a mail server running @@dovecot@@ and no @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a---%0a> The following is for a mail server running `dovecot` and no @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a
24
2023-01-22
jrmu
host:1656190237=102.114.210.144
25
2023-01-22
jrmu
author:1656190137=rahl
26
2023-01-22
jrmu
csum:1656190137=Initial writeup
27
2023-01-22
jrmu
diff:1656190137:1656190137:=1,111d0%0a%3c (:title Automating acme-client Renewal:)%0a%3c %0a%3c @@$ man acme-client@@ provides a nice simple crontab entry for common usage.%0a%3c %0a%3c The following is for a mail server running `dovecot` and no @@httpd@@. Though it's somewhat specific, it should be trivial to alter the script for one's own needs.%0a%3c %0a%3c %0a%3c !! Shell script%0a%3c %0a%3c As the use-case is not entirely trivial, we opted for a shell script. The output as it stands is fairly verbose, but again, this would be easy to tweak.%0a%3c %0a%3c Create and edit @@/usr/local/bin/renew_cert@@ (or a filename of your choice - just remember to edit any later commands/files as necessary).%0a%3c The only essential change is to set @@%3cyour.domain>@@ appropriately.%0a%3c %0a%3c [@%0a%3c #!/bin/ksh%0a%3c %0a%3c # Renew LetsEncrypt certificate(s) for the mail server domain(s)%0a%3c # Returns%0a%3c # 0: Success%0a%3c # 1: Certificate up to date%0a%3c # 2: Error%0a%3c %0a%3c # Print message to stdout or stderr%0a%3c # Messages for stdout are marked [INFO], stderr are marked [ERROR]%0a%3c # Expects%0a%3c # $1: 1|2 (stdout|stderr)%0a%3c # $2: Message text%0a%3c # Silently fails if called badly%0a%3c print_msg() {%0a%3c if [ $# -ne 2 ]; then%0a%3c return%0a%3c fi%0a%3c if [ $1 == "stdout" ]; then%0a%3c outfd=1%0a%3c tag="[INFO]"%0a%3c elif [ $1 == "stderr" ]; then%0a%3c outfd=2%0a%3c tag="[ERROR]"%0a%3c else%0a%3c return%0a%3c fi%0a%3c msg=$2%0a%3c echo "${tag} ${msg}" >&$outfd%0a%3c }%0a%3c %0a%3c # We need http server for acme-client to communicate with LetsEncrypt%0a%3c rcctl check httpd%0a%3c httpd_check=$?%0a%3c %0a%3c # Only start httpd if it's not already running%0a%3c if [ $httpd_check -eq 1 ]; then%0a%3c print_msg stdout "Starting httpd"%0a%3c rcctl -f start httpd%0a%3c if [ $? -ne 0 ]; then%0a%3c print_msg stderr "Failed to start httpd"%0a%3c exit 2%0a%3c fi%0a%3c fi%0a%3c %0a%3c # Attempt to renew certificate%0a%3c print_msg "Renewing mail server certificate"%0a%3c acme-client %3cyour.domain>%0a%3c acme_check=$?%0a%3c %0a%3c # Only stop httpd if it was not already running%0a%3c if [ $httpd_check -eq 1 ]; then%0a%3c print_msg stdout "Stopping httpd"%0a%3c rcctl stop httpd%0a%3c fi%0a%3c %0a%3c if [ $acme_check -eq 2 ]; then%0a%3c print_msg stdout "Certificate up to date"%0a%3c exit 1%0a%3c elif [ $acme_check -eq 1 ]; then%0a%3c print_msg stderr "Failed to renew certificate"%0a%3c exit 2%0a%3c fi%0a%3c %0a%3c print_msg stdout "Successfully renewed certificate"%0a%3c %0a%3c # Serve the new certificate%0a%3c print_msg stdout "Reloading dovecot"%0a%3c rcctl reload dovecot%0a%3c if [ $? -gt 0 ]; then%0a%3c print_msg stderr "Failed to reload dovecot"%0a%3c exit 2%0a%3c fi%0a%3c @]%0a%3c %0a%3c !!! Permissions%0a%3c %0a%3c @@#chmod 700 /usr/local/bin/renew_cert@@%0a%3c %0a%3c %0a%3c !! cronjob%0a%3c %0a%3c LetsEncrypt will allow certificate renewal if the expiry is within 30 days. We us a simple cronjob to run our script fortnightly.%0a%3c %0a%3c Output is piped to @@logger@@ to be written to the system log.%0a%3c %0a%3c With your favourite text-editor (@@vim@@), create or append to @@/etc/weekly.local@@:%0a%3c %0a%3c [@%0a%3c test 1 -eq $(($(date +\%25g) & 1)) && renew_cert | logger -t "[acme renewal]"%0a%3c @]%0a%3c %0a%3c The use of @@test@@ is because running this once every two weeks should be more than enough. The technique was found [[https://unix.stackexchange.com/a/197411 | here]] and seems reasonable.%0a%3c %0a%3c By default @@logger@@ will likely output to @@/var/log/messages@@, but this can be confirmed by checking your @@/etc/syslog.conf@@.%0a%3c You may also direct @@logger@@ to output elsewhere; see @@-p@@ in @@$man logger@@.%0a\ No newline at end of file%0a
28
2023-01-22
jrmu
host:1656190137=102.114.210.144
IRCNow