YouTube-operational-API
YouTube-operational-API copied to clipboard
Benjamin-Loison
Automatize certbot renewal
Currently proceed by hand as follows work:
For i from 0 (included) to 2 (included):
- make
yt.lemnoslife.compoint toyt{i}.lemnoslife.com(don't forget to wait TTL) - run certbot for both
yt.lemnoslife.comandyt{i}.lemnoslife.com
Restore initial DNS yt.lemnoslife.com entry.
The issue is the ACME challenge due to yt.lemnoslife.com pointing to several instances.
As a first step having a meta command to SSH connect and run the required commands could do the job. It's not that easy to proceed to the DNS change in a general manner.
Could assume synchronization by space by time actions on the various servers but then it may mean temporary significant time relying on a single machine.
Two other alternatives:
- giving each official instance SSH access to a given one renewing the certificate
- giving a given official instance, renewing the certificate, SSH access to all others
Well in fact the issue is to have this certificate delivered, so these approaches don't help.
Note that I'm unsure that such an approach works, should investigate what files does certbot modifies.
Or make a script run automatically on DNS server and not by me manually. However, this still requires all the requests to go to a server temporarily which isn'tt ideal. As the downtime is minimal, with my current knowledges which are quite limited concerning this very specific topic, by proceeding this way, while such event occurs once every 3 months, let say that it's fine for the moment, as it consists in a number of instances * TTL downtime which as a total is 2 minutes currently and we could reduce temporarily the TTL such that at every request it resolves the domain name, this increases the DNS workload but as it reduces to number of instances * certbot time which is a frame not too large making DNS workload not lasting.
As I'm getting following logs with renew_yt_https.py (2d33636), let's wait being near but before the expiration date to verify the algorithm behavior (I put a calendar reminder):
['141.145.213.115', '141.145.212.187']
141.145.213.115 notAfter=Nov 11 14:02:13 2023 GMT
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for yt.lemnoslife.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yt.lemnoslife.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yt.lemnoslife.com-0001/privkey.pem
This certificate expires on 2023-11-21.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for yt.lemnoslife.com to /etc/apache2/sites-enabled/000-default-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://yt.lemnoslife.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Connection to 141.145.213.115 closed.
141.145.212.187 notAfter=Nov 11 14:05:24 2023 GMT
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/yt.lemnoslife.com-0001.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Could also provided something like renew as an argument to make it renew if necessary but then have to run it multiple times within the period considered as expiring soon which is a period that I'm not aware of (I haven't searched in fact).
How to proceed to add a new instance without talking about renewing (without downtime)?