[Ach] bettercrypto.org certificate has expired today

Peter J. Holzer hjp at hjp.at
Sat Feb 25 10:31:41 CET 2017


On 2017-02-25 09:26:11 +0100, Tobias Pape wrote:
> On 25.02.2017, at 09:02, Aaron Zauner <azet at azet.org> wrote:
> > Maybe we should switch to Let's Encrypt and use the Certbot client? That'll get us new certificates and we won't have to pay.
> 
> It already is:
> 
> $ openssl s_client -connect bettercrypto.org:443
> CONNECTED(00000003)
> depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
>  0 s:/CN=bettercrypto.org
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> 
> Maybe forgotten cronjob ;)

Or just forgot to restart the server. When I switched my private domains
to Let's Encrypt, I assumed that I would reboot the host at least once
in 90 days (e.g., because of a new kernel), so I wouldn't have to
restart the server after obtaining a new certificate. That turned out to
be not quite true. Not only doesn't Debian issue new kernels quite as
often as I thought, the time window is quite a bit shorter: If you
obtain a new certificate every month (as I do), the certificate may be
up to 31 days old when the server is restarted, so there are only 59
days left. So it's a good idea to either restart the server immediately
after obtaining a new certificate or have some other cron job which
restarts the server regularly.

        hp

-- 
   _  | Peter J. Holzer    | A coding theorist is someone who doesn't
|_|_) |                    | think Alice is crazy.
| |   | hjp at hjp.at         | -- John Gordon
__/   | http://www.hjp.at/ |    http://downlode.org/Etext/alicebob.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20170225/16180b82/attachment.sig>


More information about the Ach mailing list