-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 8/17/16 4:12 PM, Dr James Smith wrote: > It may be possible to write your own auto-renewal script > relatively easily for LetsEncrypt. I have done for Apache as (a) I > don't use the standard paths and setup, (b) I wish to use HPKP on > my servers for additional security and "Lets Encrypt" auto scripts > generate a new key each time which breaks this (the signature > changes and is unpredictable) - so my script generates a lets > encrypt request with the appropriate key (either the same OR the > backup key I've already generated) I now have a relatively simple > script which reads my config file and generates keys accordingly if > required (the only thing it doesn't do is restart the server for > the new certificates to be read) but it does inform me this is > happening. It shouldn't be to difficult for nginx to do similar It might be nice to provide a patch to certbot for that kind of thing. Others would certainly appreciate it. - -chris > On 17/08/2016 20:23, R wrote: >> It seemed like the auto-renewal process for ssl from LetsEncrypt >> is not supported yet for nginx, at least according to this >> article on its publication date: >> >> https://www.digitalocean.com/community/tutorials/how-to-secure-nginx- with-let-s-encrypt-on-ubuntu-16-04 >> >> >> My needs are really simple and I wanted to go with whichever would be >> simpler to setup. >> >> On Wed, Aug 17, 2016 at 2:50 PM, Dr James Smith >> <js5@xxxxxxxxxxxx <mailto:js5@xxxxxxxxxxxx>> wrote: >> >> Depends on your backends - nginx is good if it is serving >> primarily static files and or proxying back to quick responding >> backends. It seems to be less well suited to slower/heavier >> backends. Apache always seems to work - slower mind you - but >> always seems to work... So if reliability is your requirement >> then nginx may be a problem! >> >> >> >> On 17/08/2016 19:41, Erik Dobák wrote: >> >> why did not you use nginx anyway? should be faster and modern. >> did not have the chance to try that yet myself. still using >> apache everywhere. >> >> On 17 August 2016 at 03:18, R <bittransfer2000@xxxxxxxxx >> <mailto:bittransfer2000@xxxxxxxxx>> wrote: >> >> Ugh sorry, I had a test installation of nginx on the machine, >> which was not fully removed after doing "apt-get remove". Looks >> like it would still start up somehow. After I purged nginx, then >> apache2 started ok after reboot. >> >> Thanks >> >> On Tue, Aug 16, 2016 at 8:57 PM, R <bittransfer2000@xxxxxxxxx >> <mailto:bittransfer2000@xxxxxxxxx>> wrote: >> >> Hi, this is everything from cat /var/log/apache2/error.log: >> >> [Mon Aug 15 13:42:17.138117 2016] [mpm_event:notice] [pid >> 26081:tid 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) >> configured -- resuming normal operations [Mon Aug 15 >> 13:42:17.138282 2016] [core:notice] [pid 26081:tid >> 139773925775232] AH00094: Command line: '/usr/sbin/apache2' [Mon >> Aug 15 14:55:14.003814 2016] [mpm_event:notice] [pid 26081:tid >> 139773925775232] AH00493: SIGUSR1 received. Doing graceful >> restart AH00112: Warning: DocumentRoot >> [/var/lib/letsencrypt/tls_sni_01_page/] does not exist AH00558: >> apache2: Could not reliably determine the server's fully >> qualified domain name, using 127.0.1.1. Set the 'ServerName' >> directive globally to suppress this message [Mon Aug 15 >> 14:55:14.054552 2016] [ssl:warn] [pid 26081:tid 139773925775232] >> AH01906:x:0 server certificate is a CA certificate >> (BasicConstraints: CA == TRUE !?) [Mon Aug 15 14:55:14.054736 >> 2016] [mpm_event:notice] [pid 26081:tid 139773925775232] AH00489: >> Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips configured -- resuming >> normal operations [Mon Aug 15 14:55:14.054747 2016] [core:notice] >> [pid 26081:tid 139773925775232] AH00094: Command line: >> '/usr/sbin/apache2' [Mon Aug 15 14:55:20.854353 2016 >> <tel:854353%202016>] [mpm_event:notice] [pid 26081:tid >> 139773925775232] AH00493: SIGUSR1 received. Doing graceful >> restart AH00558: apache2: Could not reliably determine the >> server's fully qualified domain name, using 127.0.1.1. Set the >> 'ServerName' directive globally to suppress this message [Mon Aug >> 15 14:55:20.865056 2016] [mpm_event:notice] [pid 26081:tid >> 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) configured -- >> resuming normal operations [Mon Aug 15 14:55:20.865076 2016] >> [core:notice] [pid 26081:tid 139773925775232] AH00094: Command >> line: '/usr/sbin/apache2' [Mon Aug 15 14:55:23.807722 2016 >> <tel:807722%202016>] [mpm_event:notice] [pid 26081:tid >> 139773925775232] AH00493: SIGUSR1 received. Doing graceful >> restart AH00558: apache2: Could not reliably determine the >> server's fully qualified domain name, using 127.0.1.1. Set the >> 'ServerName' directive globally to suppress this message [Mon Aug >> 15 14:55:23.840209 2016] [mpm_event:notice] [pid 26081:tid >> 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) >> OpenSSL/1.0.2g-fips configured -- resuming normal operations [Mon >> Aug 15 14:55:23.840217 2016] [core:notice] [pid 26081:tid >> 139773925775232] AH00094: Command line: '/usr/sbin/apache2' [Mon >> Aug 15 14:55:31.995008 2016] [mpm_event:notice] [pid 26081:tid >> 139773925775232] AH00493: SIGUSR1 received. Doing graceful >> restart AH00558: apache2: Could not reliably determine the >> server's fully qualified domain name, using 127.0.1.1. Set the >> 'ServerName' directive globally to suppress this message [Mon Aug >> 15 14:55:32.023059 2016] [mpm_event:notice] [pid 26081:tid >> 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) >> OpenSSL/1.0.2g-fips configured -- resuming normal operations [Mon >> Aug 15 14:55:32.023076 2016] [core:notice] [pid 26081:tid >> 139773925775232] AH00094: Command line: '/usr/sbin/apache2' [Mon >> Aug 15 14:56:04.269625 2016 <tel:269625%202016>] [ssl:error] [pid >> 29903:tid 139773645637376] [client 64.41.200.108:39890 >> <http://64.41.200.108:39890>] AH02042: rejecting client initiated >> renegotiation [Mon Aug 15 18:40:58.774299 2016 >> <tel:774299%202016>] [ssl:error] [pid 29904:tid 139773819877120] >> [client 64.41.200.105:34645 <http://64.41.200.105:34645>] >> AH02042: rejecting client initiated renegotiation [Mon Aug 15 >> 19:07:02.626527 2016 <tel:626527%202016>] [mpm_event:notice] [pid >> 26081:tid 139773925775232] AH00491: caught SIGTERM, shutting >> down [Mon Aug 15 19:07:03.939317 2016 <tel:939317%202016>] >> [mpm_event:notice] [pid 2548:tid 140489013651328] AH00489: >> Apache/2.4.18 (Ubuntu) mod_jk/1.2.41 OpenSSL/1.0.2g-fips >> configured -- resuming normal operations [Mon Aug 15 >> 19:07:03.939444 2016 <tel:939444%202016>] [core:notice] [pid >> 2548:tid 140489013651328] AH00094: Command line: >> '/usr/sbin/apache2' [Mon Aug 15 19:13:44.445770 2016 >> <tel:445770%202016>] [mpm_event:notice] [pid 2548:tid >> 140489013651328] AH00491: caught SIGTERM, shutting down [Mon Aug >> 15 19:13:45.265839 2016] [mpm_event:notice] [pid 2705:tid >> 140547327522688] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41 >> OpenSSL/1.0.2g-fips configured -- resuming normal operations [Mon >> Aug 15 19:13:45.265879 2016] [core:notice] [pid 2705:tid >> 140547327522688] AH00094: Command line: '/usr/sbin/apache2' [Tue >> Aug 16 20:12:44.384947 2016] [mpm_event:notice] [pid 2705:tid >> 140547327522688] AH00491: caught SIGTERM, shutting down >> >> >> On Tue, Aug 16, 2016 at 6:46 PM, Rodrigo Cunha >> <rodrigo.root.rj@xxxxxxxxx <mailto:rodrigo.root.rj@xxxxxxxxx>> >> wrote: >> >> execute cat /var/log/apache2/error.log and post stdout >> >> 2016-08-16 19:26 GMT-03:00 R <bittransfer2000@xxxxxxxxx >> <mailto:bittransfer2000@xxxxxxxxx>>: >> >> Hi, >> >> I've installed apache on my Ubuntu 16.04 machine as follows: >> >> sudo apt-get install apache2 >> >> and it works fine. It does not restart on its own though after a >> reboot. Are there other Ubuntu 16.04 users that have it >> restarting on reboot? >> >> Thanks >> >> >> >> >> -- Atenciosamente, Rodrigo da Silva Cunha >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx> For additional >> commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> <mailto:users-help@xxxxxxxxxxxxxxxx> >> >> >> >> >> -- The Wellcome Trust Sanger Institute is operated by Genome >> Research Limited, a charity registered in England with number >> 1021457 and a company registered in England with number 2742969, >> whose registered office is 215 Euston Road, London, NW1 2BE. >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx> For additional >> commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> <mailto:users-help@xxxxxxxxxxxxxxxx> >> >> > > > -- The Wellcome Trust Sanger Institute is operated by Genome > Research Limited, a charity registered in England with number > 1021457 and a company registered in England with number 2742969, > whose registered office is 215 Euston Road, London, NW1 2BE. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXtN2NAAoJEBzwKT+lPKRYuOQP/jbF1qhVuxFOG5WnrVsNqrTz JH+j8HbDOxbagP+SJnDNOgpAwagm/u+TXbEj205h2n4rm5qPSW+dic7KHtCmlL8K zsZGvGHbfukf8XVar+0BJnRvmjmY/t5UUdzG1eJnVaHj/QGVQiYKZpP3fp4s1riG vPY9h+qhFRz8Y0P9ysDfbyCm9icxrwVP9sP6jZUxLUuFUohUIbmMCUb7uDr8K5BW 83Y9jACxuuHTIj7UD0gU1h9dBrEfoaIFMXB7Gh8irxaWEyfdNQhBQpPTrXpvLapN LbZaoMTj5OGPCamYe4B3d1p6qfL7O8Pc/1CaG92B5PBg+VaqJ+LsTpgSOVKcBdI/ d5MxcbSjw3oFvxdyjHq7nePVFVnsYM90zNxa0UpSPNSkH7EybRQv25yZck0JR8df v9x9p0XwZPPLZDqICGKqWW6Vu7bNbyXyRu3HL2MpZ2nfAwfpeb0h4vxQh8EufqL4 xIXBa+WhK1KYxpjAZiF47MPYexo2OYOzVfZ/tFRdQtCZYUbdMDw06phPtoudnWfA pLvcxmGo8Kd2qy8sNN8tZi0qxkmrcAkmLEEXp0cDp+U6VmUM53ASLUhiztssa7IE s0aIJbceXyId9gLO6mLpNp+PG7fopl8ygEPky5tDBwJ0xdCDB9/5yKhbswDryh/4 3CLYvvwrY8m03ndnOGFD =Pgut -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|