00:16 <Darklight[m]> Letsencrypt is supposed to renew way before that...

06:56 <VITAS[m]> good point

06:56 <VITAS[m]> ill do that later today

09:16 <VITAS[m]> cert updated

09:16 <VITAS[m]> remind me on the end of novemeber :D

09:16 <VITAS[m]> -e

09:17 <VITAS[m]> autoupdate gets stuck and i have to manualy hit it multiple times

10:19 <Darklight[m]> I have a crontab that reloads apache every week, certbot updates it monthly? I think so worksforme.jpg

10:22 <VITAS[m]> not-that-simple.jpg

10:29 <Darklight[m]> Not for you :P

10:37 <VITAS[m]> yes :D

10:57 <VITAS[m]> the problem is that the dns auth of letsencrypt sometimes failes

10:58 <VITAS[m]> so ive to run it multiple times till all domains are good

10:58 <Darklight[m]> I keep forgetting you don't have the primary DNS NS like I do

10:59 <VITAS[m]> i do but i host it myself

10:59 <Darklight[m]> So do I

10:59 <VITAS[m]> i dont know what the problem is but it doesnt propagate like it should

10:59 <Darklight[m]> DNS propigates instantly for new domains

10:59 <VITAS[m]> not always that is

10:59 <VITAS[m]> my secondary ns it with my domain provider

11:00 <VITAS[m]> i think thats the problem

11:00 <VITAS[m]> they use a cluster of servers

11:00 <Darklight[m]> Only thing I can think of is your domain provider running slaves that don't properly get the dns update thingy

11:00 <VITAS[m]> and they dont get it all the time

11:00 <VITAS[m]> yes

11:01 <DasSkelett[m]> What do you have set as wait time for certbot? Maybe try increasing that?

11:01 <Darklight[m]> If it annoyed me enough I would remove their NS records and don't use them

11:01 <VITAS[m]> so i would have to write a script that finds out if the cert is out of date and then retries ntil it gets a new cert

11:01 <VITAS[m]> like 10 minutes

11:01 <Darklight[m]> They don't provide any extra reliability because your server will still "not found"

11:01 <VITAS[m]> i started low and now am at that point

11:01 <Darklight[m]> certbot does that hourly I think

11:02 <VITAS[m]> i use dehydrated

11:02 <Darklight[m]> I think they use a systemd timer rather than a cron

11:02 <DasSkelett[m]> 10 minutes should be enough, yeah.

11:03 <Darklight[m]> Well given that they update only happens like 1 month before it is due and the certs are 3 months I think?

11:03 <VITAS[m]> dehydrated uses powerdns api to add entries

11:03 <VITAS[m]> then

11:03 <VITAS[m]> ive a second script that uses ansible to distribute the new cert and restart the services

11:04 <VITAS[m]> because of the failures to gen a cert AND the distribution/service restarting

11:04 <Darklight[m]> Doesn't a bind reload send notified if you have secondaries set up? or is their servers retarded and acting like primaries?

11:04 <VITAS[m]> i cant use normal methods

11:04 <Darklight[m]> *edit:* ~~Doesn't a bind reload send notified if you have secondaries set up? or is their servers retarded and acting like primaries?~~ -> Doesn't a bind reload send notifies if you have secondaries set up? or is their servers retarded and acting like primaries?

11:04 <VITAS[m]> no bind

11:04 <VITAS[m]> powerdns

11:05 <VITAS[m]> i dont know why or how letsencrypt doesnt ask my ns

11:06 <VITAS[m]> all i need is a script that detects if the cert can be renewed, runs the getcert script until it gets a good cert

11:06 <VITAS[m]> then runs the distribution script

11:06 <VITAS[m]> so i think ive to parse the getcertscripts output and act uppon it

11:08 <Darklight[m]> Is there any reason you are delegating to their servers?

11:09 <VITAS[m]> i want a secondary ns in case i screw up

11:09 <Darklight[m]> Maybe NXDOMAIN sticks around too long

11:11 <VITAS[m]> we can try to automated it once i can renew the cert again because till then the output isnt the same

11:14 <Darklight[m]> certbot has ``--dns-rfc2136-propagation-seconds`` but I have no idea about your one, you can increase the delay

11:14 <VITAS[m]> i did that

11:14 <VITAS[m]> to 10min

11:14 <VITAS[m]> did improve a little bit but not fix it

11:15 <Darklight[m]> I am genuinely curious, if you wireshark when your bind reloads, does it send out dnsnotify followed by the slaves doing an AXFR? or is it using some non-dns wanky protocol?

11:25 <VITAS[m]> no bind

11:26 <VITAS[m]> and no reload as such

11:26 <VITAS[m]> powerdns and its api

11:26 <VITAS[m]> and yes im doing axfr

11:28 <RockyTV> speaking of LE, I need to figure out a way for my letsencrypt docker to notify my nginx-proxy docker to restart as soon as the certificate changes

11:28 <VITAS[m]> https://www.powerdns.com/

11:28 <RockyTV> the certificate renewal docker runs once a day or so

11:28 <VITAS[m]> docker \o/

11:28 <VITAS[m]> RockyTV (IRC): ansible

11:29 <VITAS[m]> is the answer to everything automated

11:29 <VITAS[m]> https://docs.ansible.com/ansible/latest/modules/docker_container_module.html

11:30 <Darklight[m]> RockyTV certbot has a post run script I believe

11:31 <Darklight[m]> Although you have a month to restart it, just issue a reload weekly and you will be fine ;)

11:32 <Darklight[m]> I pointed my apache where certbot actually keeps the certs so don't need to do any movey changey replacey

11:32 <VITAS[m]> i personaly want to reload/restart servcices only if they need to not weekly

11:33 <VITAS[m]> so ive that ansible script that first copies the new cert to the machine/container and then does what needs to be done to make it active

11:33 <VITAS[m]> i can also add more services to that playbook so its easy to host stuff like mailservers and what not

11:34 <DasSkelett[m]> Yeah it's not that easy, Docker containers can't restart each other by default. You'd either have to mount the docker socket in the certbot container, or hack some internal webhook that runs a script inside the nginx container issuing `nginx -s reload`

11:34 <VITAS[m]> i would have an ansible script run on the host and check for a new file in a folder thats mapped as storage to the lets encrypt container

11:34 <DasSkelett[m]> (in answer to @RockyTV)

11:35 <VITAS[m]> if theres a new file it can restart all related containers and those should map the same foolder as storage for certs

11:36 <VITAS[m]> bonus: you can have ansible do other maintance tasks as well like deploy containers or youir whole setup

11:36 <RockyTV> I use docker-compose

11:36 <VITAS[m]> think of ansible like "check if everything is like i defined if not make it so"

11:36 <RockyTV> I think I can just do a systemd timer unit to run `nginx -s reload` once a week or so on my nginx-proxy container?

11:37 <VITAS[m]> sure

11:37 <VITAS[m]> or ask someone to check it for you

11:37 <VITAS[m]> or do a cronjob

11:37 <VITAS[m]> :)

11:37 <RockyTV> root cronjob :P

11:37 <VITAS[m]> whatever floats your boat

11:38 <VITAS[m]> i like ansible because i dont have to care how its done

11:38 <VITAS[m]> its done

11:38 <VITAS[m]> thats what matters to me

11:38 <VITAS[m]> i only deliver the blueprint