Certificate Renewal notification+

Gramps 5.2.0
Gramps Web API 2.0.0
Gramps Web Frontend 24.2.1
locale: en
multi-tree: false
task queue: true

Hello, strangers. Well, I guess I am the stranger, after all this time away.

No real problems, just seeking pointers, or solution, to how I can get the acme-companion to notify me when a cert has been renewed, either by email, or in a way I can use to automate (?) copying the new certs to the reverse proxy (Apache) I have set up.

Currenlty, I do that manually when I notice the connection to Gramps Web no long works.

Did not see any means to ask the “acme people” directly.

All assistance appreciated.

Hi,

if you entered your correct e-mail, you will automatically get an e-mail from Let’s Encrypt (the certificate authority), this has nothing to do with acme-companian (or Gramps Web).

Sorry, I realized that didn’t answer your question - you don’t get the notification because acme-companion renews it for you, but then you need a manual step.

Perhaps just mark your calendar? :laughing:

Thanks. I do not seem to be getting an email. I’ll look into that.

These days even marking my calendar is problematic.

I suppose it is feasible to periodically check the file dates on the certs in the docker container and compare them to those in the reverse proxy and copy them when necessary. Or, perhaps just copy them daily or on some other reasonable schedule.

Perhaps even raise a “bug” or “enhancement request” with the acme-companion folks. I had though it already in there, but had missed it.

Edit: Probably not getting the email as the certs get renewed before the 6 day mark so never trigger the bot.

Not having to do anything manually is precisely the point of the acme-companion + nginx-proxy example in the docs. If you want to use something else, yes it’s best to ask in the upstream projects.

Perhaps I was not clear. Not wishing to seem dense or argumentative.

I don’t want to replace it, as it works fine, as far as it goes, but to augment it for my purpose.

The reverse proxy resides on different hardware from grampsweb containers, which configuration did not “jump at me” from the docs.

I’ll review the docs again to see if I missed something that will cover this.

To be clear, what I meant is that this

is not needed when using the setup I linked, because it is automatically copied to the nginx reverse proxy (by sharing the appropriate volumes).

@DavidMStraub Is there a way that Gramps Web could do a daily self‐test and eMail the admin(s)? To see if it is giving a certificate expired response instead of content.

And perhaps generate an eMail with a simple object count statistic report on the Tree(s). (If the Admin doesn’t get an eMail or the counts are Zeros, there is a server problem to resolve.)

Likely I have terminology confused. What I am calling a reverse proxy is on hardware, running Apache, distinct from the hardware running the docker setups for grampsweb. Each hardware has it’s own IP of course.

I have only one internet facing static IP these days and must “share” it with several web apps. That is I can only forward web stuff, via firewall/router, to a single local IP.

Initially it seemed the only way to “make it work” was to have the certs files reside (duplicated to) the Apache virtual host so it would “make nice” with the docker setup. Works well enough until the certs renew and need to be duplicated on the Apache setup. If there is a way to share containers across hardware platforms, I am not aware of it.

I must confess to “infirmity of years” slowing my grasp of things. Just a fact.

1 Like

No. Gramps Web doesn’t know anything about certificates, it sits at a lower level. The issue we are discussing here has nothing to do with Gramps Web, but with exposing any kind of service to the internet via HTTPS.

No need to look into it, because I just got an email from Let’s Encrypt informing me of this change:

:laughing:

2 Likes

acme-companion has a pre- and post-hook on certificate renewal which may help you achieve what you want. There are some restrictions on what you can do, but it’s a place to start. Let us know how you make out.

Quick look, holds promise. May be a few days as minor medical appointments take precedence.