Forum OpenACS Development: Re: letsencrypt error on renew

Collapse
Posted by Gustaf Neumann on
There are some updates to letsencrypt in the repositories:

The background operation "check_expired_certificates" in OpenACS 5.10 checks for expiring certificates and sends warnings before the expiry. This functionality is available since while. New is the feature that this function performs automated certificate renewal for letsencrypt certificates.

This change reduces maintenance effort by automating certificate renewal. When the NaviServer letsencrypt module is installed and configured, the background operation check_expired_certificates will automatically update the certificates when these expire soon (as defined by the "ExpireCertificateWarningPeriod" parameter of acs-admin). When a recent version of NaviServer is used that supports certificate re-fetch on SIGHUP, the new certificates are automatically updated without a server restart.

Prerequisites:

  • Recent version of letsencrypt NaviServer module installed (0.6) and configured
  • Recent version of NaviServer (currently Bitbucket tip) for automated certificate reloading

A sample configuration is in [1]. When the recent letsencrypt module is not installed, "check_expired_certificates" sends expiration warnings as usual. Therefore, the change does not harm for sites using certificates from different sources.

This new functionality was used for latest certificate renewal on openacs.org and on lehrbuch-wirtschaftsinformatik.org.

Hopefully, someone will find this useful
-g

[1] https://bitbucket.org/naviserver/naviserver/src/master/openacs-config.tcl