Comments on: Letsencrypt: Free SSL Certificates for NGINX https://www.justinsilver.com/technology/linux/letsencrypt-free-ssl-certificates-nginx/?utm_source=rss&utm_medium=rss&utm_campaign=letsencrypt-free-ssl-certificates-nginx Technology, Travel, and Pictures Fri, 01 Mar 2019 17:57:14 +0000 hourly 1 https://wordpress.org/?v=6.0.1 By: Justin Silver https://www.justinsilver.com/technology/linux/letsencrypt-free-ssl-certificates-nginx/#comment-2357 Fri, 02 Jun 2017 16:10:32 +0000 https://www.justinsilver.com/?p=4113#comment-2357 In reply to Markos.

Just did a bit of research and the recommendation is to run the renewal process weekly at minimum, though daily is prefered – https://serverfault.com/a/790776/141948

Monthly is not frequent enough. This script should run at least weekly, and preferably daily. Remember that certs don’t get renewed unless they are near to expiration, and monthly would cause your existing certs to occasionally be expired already before they get renewed.

]]> By: Justin Silver https://www.justinsilver.com/technology/linux/letsencrypt-free-ssl-certificates-nginx/#comment-2356 Fri, 02 Jun 2017 16:02:53 +0000 https://www.justinsilver.com/?p=4113#comment-2356 In reply to Markos.

Hi Markos,

Thanks for the comment. There is definitely some merit to what you say, however this code does not actually update the certificate every day, rather it simply checks for an update daily and updates the certs accordingly. The certificate is only renewed if it is close to expiration, otherwise it is skipped. See this excerpt from me running letsencrypt renew manually just now –

[root@www ~]# letsencrypt renew
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/justinsilver.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/justinsilver.com/fullchain.pem (skipped)

I have had mixed results with Nginx picking up the new certificate without reloading/restarting the process which is why I choose to run mine around 1am when traffic is low (I have more than one site on this server). As you said people all over the Internet might use this post, but as they are distributed around the country and world (and thus timezones) this should cause a natural distribution and thus not everyone would make the check at the same time. It’s also worth noting that this is one request per day per server, which isn’t that much traffic in the big scheme of things (I’m currently building an app that should handle 1000 reqs/sec per thread).

All that said, it would be perfectly fine to run it less often if that suits your needs. My reason for not running it just once a month is backup in case the server or Internet is down and it misses the renewal. Running once a month means that if this happens it might be several days or longer before I noticed on some of my sites.

Of course reducing the load on an awesome free service is great so I will give this some more thought. Thanks!

]]> By: Markos https://www.justinsilver.com/technology/linux/letsencrypt-free-ssl-certificates-nginx/#comment-2355 Fri, 02 Jun 2017 12:41:10 +0000 https://www.justinsilver.com/?p=4113#comment-2355 you are renewing your certificate *every single day* , and so are ppl copy-pasting this all over the internet, please change it to at least once a month (random day& time)

]]>