Last time updated?
-
It might, but like I said, if your log is very busy it may have scrolled off before you checked.
-
that's an interesting point.
But if you look at my log as above, you see ALL entries for 1/25/19, don't you? Where would it be ?
Still consider show on the UI. I bet you majority of people would love that :)
-
The earliest it shows is 7:42 AM, the log entry would have been from 3:16 AM. It might have already fallen off the start of the circular log.
-
how ?
next you see
Jan 25 07:40:03 php-fpm /acme/acme_certificates_edit.php: Beginning configuration backup to .https://acb.netgate.com/save Jan 24 20:44:33 php /usr/local/pkg/acme/acme_command.sh: End of configuration backup to https://acb.netgate.com/save (success).
the day before yesterday, no ?
-
Ah, sorry, I hate reverse logs, my brain always sees top=oldest.
Try searching with ACME in the process field, not the message.
-
That's it !
Jan 25 03:16:00 ACME Renewal number of days not yet reached. Jan 25 03:16:00 ACME Checking if renewal is needed for: YYY Jan 25 03:16:00 ACME Renewal number of days not yet reached. Jan 25 03:16:00 ACME Checking if renewal is needed for: XXX
Thank you!
Still consider !!!
-
I also wanted to mention that after being using ACME for several days I say that you deserved kudos and thank you's for maintaining its code ....
-
Didn't had a look myself yet .... but it's there : exactly at 03h16 minutes sharp :
2019-01-25 03:15:54 Cron.Info 192.168.1.1 Jan 25 03:16:00 /usr/sbin/cron[87247]: (root) CMD (/usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&1) 2019-01-25 03:15:55 User.Notice 192.168.1.1 Jan 25 03:16:00 ACME: Checking if renewal is needed for: V2_brit-hotel-fumel.net 2019-01-25 03:15:55 User.Notice 192.168.1.1 Jan 25 03:16:00 ACME: Renewal number of days not yet reached.
Btw : using an external syslogger.
edit : grepping using the magic word ( = ACME) nailed it in a split second.
-
Just wondering when I see in logs those entries ("Renewal number of days not yet reached"), can I assume that NAT/FW rule for port forwarding was used and worked successfully?
-
No, that is only a local check of the certificate expiration date
-
so how to enforce real check ? Renew via UI ?
-
You can force it via the UI but that won't test your schedule since it's time-based.
There isn't an easy way to test that until it runs again naturally.
You could edit the cron job, add
-force
to the acme script call parameters, then wait overnight for the schedule to trigger, but that's not ideal either. -
What if I lift schedule temporarily and run in command line:
/usr/local/pkg/acme/acme_command.sh "renewall" --force
-
Just one dash
-force
.If you disable the schedule so the rule is always active, then it should work to test just the renew, but that still doesn't help you test the schedule or the cron job.
-
@jimp I realize this. My goal to test an odd port fowarding and it did seem to work.
"Reload success" is this sufficient ?
-
If you see the cert in the list with an updated valid/expiration date, then yeah.
-
Everything looks great and worked as expected.
The only minor note
I ran as:
/usr/local/pkg/acme/acme_command.sh "renewall" -force | /usr/bin/logger -t ACME 2 > & 1
Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [port] => XYZ [ipv6] => ) ... [Wed Jan 30 10:11:14 PST 2019] Cert success.
However when I filtered FW log for XYZ Destination Port I found nothing.
Odd...
-
@chudak said in Last time updated?:
However when I filtered FW log for XYZ Destination Port I found nothing.
Same thing for me.
I searched for "Magic Cake" and I didn't find nothing aether.
But I wasn't surprised ....
A firewall logs if you instructed it to log. -
@gertjan said in Last time updated?:
@chudak said in Last time updated?:
Cake" and I didn't find nothing aether.
But I wasn't surprised ....
A firewall logs if you instructed it to log.what do you mean ? why ?
I do have BTW traffic logging enabled for the FW rule.
-
In that case, it the LE server comes in to check, the firewall rule that logs should log something.
Another side effect : your cert was renewed - just check the dates of the cert.
Btw : don't do this to often : 5 times in a week and your renewal will be blocked.