Question: How often are certificates updated in production mode?

Question

Question: How often are certificates updated in production mode?

Opened this issue 2 years ago · 9 comments

How often are certificates updated in production mode?

After restarting hostos, I get a Late Limit error and can no longer start the container.

Answer 1 · 2022-11-16T09:26:48.000Z

I will be updated 30 days before expiry (which is 90 days). The rate limit is a few times a week. This shouldn't be a problem.

What I guess is that you are doing experiment using production mode, and didn't use volumes to preserve the certificates between trials?

Answer 2 · 2022-11-16T09:30:44.000Z

Thanks for the reply.

We have restarted os at a site that is already in production. This problem occurred when docker was started upon restart. However, the os was restarted twice

Answer 3 · 2022-11-16T10:11:10.000Z

Make sure to use volumes to preserve the certificate between restarts. When HTTPS-PORTAl detect certs available, it won't try to get new ones.

Answer 4 · 2022-11-16T10:19:52.000Z

This is the docker-compose.yaml actually used. volumes is specified.

version: '3.8'

services:
  https-portal:
    image: steveltn/https-portal:1
    restart: always
    logging:
      driver: syslog
      options:
        syslog-facility: daemon
        tag: xxxxx-proxy/{{.Name}}/{{.ID}}
    ports:
      - '80:80'
      - '443:443'
    environment:
      TZ: Asia/Tokyo
      STAGE: 'production' # Don't use production until staging works
      # FORCE_RENEW: 'true'
      DOMAINS: >-
        xxxxx.xyz -> http://xxxxx-web:8000,
      CLIENT_MAX_BODY_SIZE: 10M
      ERROR_LOG: stdout
      ACCESS_LOG: stdout
    volumes:
      - https-portal-data:/var/lib/https-portal
    networks:
      - xxxxx-nw

volumes:
  https-portal-data:

networks:
  xxxxx-nw:
    external: true

Answer 5 · 2022-11-17T04:35:41.000Z

The timing of the update was confirmed from the log. Is this expected behavior?
By the way, one day later, I started docker-compose and it recovered.

$ grep verified proxy.log-*
xxx-proxy.log-20221029:Oct 28 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221031:Oct 30 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221101:Oct 31 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221103:Nov  2 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221104:Nov  3 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221105:Nov  4 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221107:Nov  6 16:03:40 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221108:Nov  7 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221110:Nov  9 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221111:Nov 10 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221112:Nov 11 16:03:40 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221114:Nov 13 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221115:Nov 14 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!

Answer 6 · 2022-11-18T23:41:34.000Z

No, it is not.
Do you find anything such as this and this?

It checks the certificates every day. But only if the certificate needs renewing, it will try to renew. I'd like to know whether it determined that the certs needs renewal.

Answer 7 · 2022-11-23T11:24:03.000Z

This is the result. Also, this server is running on multiple domains.

$ grep 'Renewed certs for' *proxy*
xxx-proxy.log:Nov 23 16:03:42 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[815]: Renewed certs for xxx.site
xxx-proxy.log:Nov 23 16:03:50 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[815]: Renewed certs for zzz.site
xxx-proxy.log-20221104:Nov  3 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221104:Nov  3 16:03:55 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221105:Nov  4 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221105:Nov  4 16:03:55 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221106:Nov  5 16:03:36 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221106:Nov  5 16:03:39 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221107:Nov  6 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221107:Nov  6 16:03:55 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221108:Nov  7 16:03:42 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221108:Nov  7 16:03:50 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221109:Nov  8 16:03:36 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221109:Nov  8 16:03:39 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221110:Nov  9 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221110:Nov  9 16:03:54 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221111:Nov 10 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221111:Nov 10 16:03:54 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221112:Nov 11 16:03:45 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221112:Nov 11 16:03:55 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221113:Nov 12 16:03:36 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221113:Nov 12 16:03:38 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221114:Nov 13 16:03:42 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221114:Nov 13 16:03:51 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221115:Nov 14 16:03:42 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221115:Nov 14 16:03:51 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site

Answer 8 · 2022-11-23T12:48:00.000Z

So, the frequency of running the renewal job looks okay. It is supposed to run everyday, and see if the certificate needs to be updated. The problem is, why does it determine, the certificate is outdated and needs to be renewed?

Answer 9 · 2022-11-23T12:49:54.000Z

I put some debug code in the branch issue-329-debug. Could you check out the code and build from it?
Then turn on DEBUG=true, you should have some prints to see what went wrong.