freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Le Roux <>
Subject Re: instead of
Date Sat, 19 May 2018 11:42:57 GMT

Le 19/05/2018 à 12:02, Daniel Dekany a écrit :
> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:
>> Yes, the cron job ( should be run daily/nightly by root, content:
>> cerbot renew
>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
>> -inkey /etc/letsencrypt/live/ -in
>> /etc/letsencrypt/live/ -certfile
>> /etc/letsencrypt/live/ -pass
>> pass:"theKnownPassword" (not copied here)
> Though you have posted that password to this mailing list anyway... ;)
Yes indeed, just once, but you'r right I should have used private :/
Anyway we should change it and keep the new one in a specific file at

>> I think it should not change the rights to read in
>> /etc/letsencrypt/live (now with fmonlinetester in group)
> It would be surprising if it changes it.
Yep, just got surprisingly bitten once, so...

>> but we should try it manually once and check.
>> If it does change then we will need to re-add fmonlinetester
>> in the group at end of I crossed this read issue before as jleroux
>> user, initially the dir was readeable w/o sudo and then not. Not
>> sure if it's certbot or openssl which did that in my case.
>> Also I don't think we need to care about change in
>> /etc/letsencrypt/live/ If they are no
>> change certificate.p12 will be the
>> same, no worries.
> Of course. It will need to issue that SSL cert reloading curl command
> though.
Ah indeed


>> I think we should not show the "theKnownPassword" in the wiki page...
> Yeah, I guess it's better star it out on cwiki. (Though to get the p12
> or private key one has to pawn the server anyway... and then he finds
> the password too.)
I think better fits for all private things
For instance the cron job copy and all the rest. And simply refer to private things from the

> Are there any Let's Encrypt related credentials we should be aware of
> (in case you become unavailable)?
Nope, I used only the temporary secret password everywhere and IIRW it was only when creating
the cert from .pem files.

> I think "Enter email address (used for urgent renewal and security
> notices)" should be
I agree! I used mine so far. To be changed like the cert password
Will you handle the job creation and the doc?

Have a good weekend


View raw message