Last time updated?
-
Yep, inspect the certificate. It has a start and end date.
Or have a look here : Services => Acme => Certificates
Or have a look in the logs ... a line will mention the execution of the cron job.Btw "Certificate renewal after" : you set the delay in days for the renewal.
-
@gertjan said in Last time updated?:
Yep, inspect the certificate. It has a start and end date.
Or have a look here : Services => Acme => Certificates
Or have a look in the logs ... a line will mention the execution of the cron job.Btw "Certificate renewal after" : you set the delay in days for the renewal.
I did all of that. The only one that seems to be what i want is "...in the logs ... a line will mention the execution of the cron job"
So far I have not seen it. Will check again tomorrow after expected run time
-
-
@chudak said in Last time updated?:
Last time updated?
I would say : 21-01-2019 10:21.
And what are frontal logs ?
-
-
The last time the cron ran will always be the previous night at 3:16 am or whenever the job is set to.
The latest version of the ACME package logs that to the main system log. Adding it in the cert list GUI would be a hassle and not worth the effort.
-
Yes I saw update message, but could not find any traces.
Pls tell how you see it ? -
Status > System Logs, search for ACME
-
I have Cron Entry enabled
I see in Cron UI16 3 * * * root /usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&1
I have NAT/WF rule on schedule
Mon - Sun 3:15 3:30
I check via Status > System Logs > General and filter Message for ACME
... and I see no traces of ACME executed in time rangePS: Manually running ACME works fine
You see something wrong with these steps ?
-
When did you last update the ACME package? I just put out the update with the log entry for cron in the last couple days. If you updated today, for example, you'd have no log entries for it yet.
Also if your system log is especially busy, it may not go back far enough to show log entries from then.
-
I am running ACME version 0.5.3.
Is it good ?
And cron says:
| /usr/bin/logger -t ACME 2>&1
and here see my log https://snag.gy/auomlf.jpg
Maybe it will show up tomorrow ?
-
It might, but like I said, if your log is very busy it may have scrolled off before you checked.
-
that's an interesting point.
But if you look at my log as above, you see ALL entries for 1/25/19, don't you? Where would it be ?
Still consider show on the UI. I bet you majority of people would love that :)
-
The earliest it shows is 7:42 AM, the log entry would have been from 3:16 AM. It might have already fallen off the start of the circular log.
-
how ?
next you see
Jan 25 07:40:03 php-fpm /acme/acme_certificates_edit.php: Beginning configuration backup to .https://acb.netgate.com/save Jan 24 20:44:33 php /usr/local/pkg/acme/acme_command.sh: End of configuration backup to https://acb.netgate.com/save (success).
the day before yesterday, no ?
-
Ah, sorry, I hate reverse logs, my brain always sees top=oldest.
Try searching with ACME in the process field, not the message.
-
That's it !
Jan 25 03:16:00 ACME Renewal number of days not yet reached. Jan 25 03:16:00 ACME Checking if renewal is needed for: YYY Jan 25 03:16:00 ACME Renewal number of days not yet reached. Jan 25 03:16:00 ACME Checking if renewal is needed for: XXX
Thank you!
Still consider !!!
-
I also wanted to mention that after being using ACME for several days I say that you deserved kudos and thank you's for maintaining its code ....
-
Didn't had a look myself yet .... but it's there : exactly at 03h16 minutes sharp :
2019-01-25 03:15:54 Cron.Info 192.168.1.1 Jan 25 03:16:00 /usr/sbin/cron[87247]: (root) CMD (/usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&1) 2019-01-25 03:15:55 User.Notice 192.168.1.1 Jan 25 03:16:00 ACME: Checking if renewal is needed for: V2_brit-hotel-fumel.net 2019-01-25 03:15:55 User.Notice 192.168.1.1 Jan 25 03:16:00 ACME: Renewal number of days not yet reached.
Btw : using an external syslogger.
edit : grepping using the magic word ( = ACME) nailed it in a split second.
-
Just wondering when I see in logs those entries ("Renewal number of days not yet reached"), can I assume that NAT/FW rule for port forwarding was used and worked successfully?
-
No, that is only a local check of the certificate expiration date
-
so how to enforce real check ? Renew via UI ?
-
You can force it via the UI but that won't test your schedule since it's time-based.
There isn't an easy way to test that until it runs again naturally.
You could edit the cron job, add
-force
to the acme script call parameters, then wait overnight for the schedule to trigger, but that's not ideal either. -
What if I lift schedule temporarily and run in command line:
/usr/local/pkg/acme/acme_command.sh "renewall" --force
-
Just one dash
-force
.If you disable the schedule so the rule is always active, then it should work to test just the renew, but that still doesn't help you test the schedule or the cron job.
-
@jimp I realize this. My goal to test an odd port fowarding and it did seem to work.
"Reload success" is this sufficient ?
-
If you see the cert in the list with an updated valid/expiration date, then yeah.
-
Everything looks great and worked as expected.
The only minor note
I ran as:
/usr/local/pkg/acme/acme_command.sh "renewall" -force | /usr/bin/logger -t ACME 2 > & 1
Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [port] => XYZ [ipv6] => ) ... [Wed Jan 30 10:11:14 PST 2019] Cert success.
However when I filtered FW log for XYZ Destination Port I found nothing.
Odd...
-
@chudak said in Last time updated?:
However when I filtered FW log for XYZ Destination Port I found nothing.
Same thing for me.
I searched for "Magic Cake" and I didn't find nothing aether.
But I wasn't surprised ....
A firewall logs if you instructed it to log. -
@gertjan said in Last time updated?:
@chudak said in Last time updated?:
Cake" and I didn't find nothing aether.
But I wasn't surprised ....
A firewall logs if you instructed it to log.what do you mean ? why ?
I do have BTW traffic logging enabled for the FW rule.
-
In that case, it the LE server comes in to check, the firewall rule that logs should log something.
Another side effect : your cert was renewed - just check the dates of the cert.
Btw : don't do this to often : 5 times in a week and your renewal will be blocked. -
@gertjan said in Last time updated?:
In that case, it the LE server comes in to check, the firewall rule that logs should log something.
Another side effect : your cert was renewed - just check the dates of the cert.
Btw : don't do this to often : 5 times in a week and your renewal will be blocked.Everything worked perfectly, CA renewed.
No log entry in FW logs, that's all
I thought I saw a commit about Acme and FW logs, but can't find it now... Maybe mistaken -
@chudak said in Last time updated?:
Everything worked perfectly, CA renewed.
So you're good !
The acme package is not related to the firewall (rules) what so ever. That's up to you.