[SOLVED] Treatment of scripts in /etc/cron.monthly

kikinovak · 03-16-2016, 03:20 AM

Hi,

On a public Slackware64 14.0 server I'm hosting several domains, and each domain has one or more subdomains with corresponding SSL certificates generated with LetsEncrypt.

For every domain there's a script mkcert-domain.sh. Here's what this looks like:

Code:

-rwx------ 1 root root 1209 janv. 28 11:16 mkcert-coopsoleil.fr.sh
-rwx------ 1 root root  603 janv. 28 09:46 mkcert-microlinux.eu.sh
-rwx------ 1 root root 1110 mars   6 17:34 mkcert-radionovak.com.sh
-rwx------ 1 root root  804 janv. 27 16:42 mkcert-scholae.fr.sh

Here's what one of the scripts looks like:

Code:

#!/bin/bash
#
# Create/renew SSL/TLS certificates for coopsoleil.fr

DOMAIN="coopsoleil.fr"
DIRNAM="coopsoleil"
ENCRYPT="/usr/bin/letsencrypt"
CHGRP="/usr/bin/chgrp"
CHMOD="/usr/bin/chmod"
CERTGRP="certs"
EMAIL="info@microlinux.fr"
OPTIONS="certonly \
         --standalone-supported-challenges tls-sni-01 \
         --email $EMAIL \
         --renew-by-default \
         --agree-tos \
         --text \
         --standalone"

# Create $CERTGRP group 
if ! grep -q "^$CERTGRP:" /etc/group ; then
  groupadd -g 240 $CERTGRP
  echo ":: Added $CERTGRP group."
  sleep 3
fi

# Stop Apache
echo ":: Stopping Apache."
if ps ax | grep -v grep | grep httpd > /dev/null ; then
  /etc/rc.d/rc.httpd stop 1 > /dev/null 2>&1
  sleep 5
fi

$ENCRYPT $OPTIONS -d www.$DOMAIN -d $DOMAIN \
  --webroot-path /srv/httpd/vhosts/$DIRNAM-secure/htdocs

$ENCRYPT $OPTIONS -d mail.$DOMAIN \
  --webroot-path /srv/httpd/vhosts/$DIRNAM-webmail/htdocs

$ENCRYPT $OPTIONS -d cloud.$DOMAIN \
  --webroot-path /srv/httpd/vhosts/$DIRNAM-owncloud/htdocs

# Fix permissions
echo ":: Setting permissions."
$CHGRP -R $CERTGRP /etc/letsencrypt
$CHMOD -R g=rx /etc/letsencrypt

# Start Apache
echo ":: Starting Apache."
/etc/rc.d/rc.httpd start

I've been running these scripts since LetsEncrypt's first public beta in december, and after a few initial hiccups, everything works fine now.

I'd like to define a monthly cronjob for certificate generation. So my first idea would be to put all those mkcert-* scripts into /etc/cron.monthly, but I have a doubt. If I put them in this directory, I expect them to be launched sequentially, e. g. one after another, and not all at the same time.

Can anyone tell me more about the way scripts in /etc/cron.monthly (or similar) are treated?

Cheers,

Niki

atelszewski.versades · 03-16-2016, 03:41 AM

Hi,

Not exactly the answer for the question, but what if you had a master script that was launched by cron?
Then, this master script would sequentially call all the mkcert-* scripts?

Another thing: check if the Apache has to be really stopped when re-generating the certs.
I might be wrong, but if I recall correctly, the certs are read on startup and kept in memory (this makes sense, in the case the cert is password protected).
Then you would just restart the Apache. This would prevent down time during cert regeneration.

--
Best regards,
Andrzej Telszewski

kikinovak · 03-16-2016, 03:51 AM

Quote:

Originally Posted by atelszewski.versades

Hi,

Not exactly the answer for the question, but what if you had a master script that was launched by cron?
Then, this master script would sequentially call all the mkcert-* scripts?

Another thing: check if the Apache has to be really stopped when re-generating the certs.
I might be wrong, but if I recall correctly, the certs are read on startup and kept in memory (this makes sense, in the case the cert is password protected).
Then you would just restart the Apache. This would prevent down time during cert regeneration.

--
Best regards,
Andrzej Telszewski

I can't really use a master script, because LetsEncrypt certificates have a very tight limitation. If I have to add a domain and/or one or several subdomains, I would have to rerun the whole script, and my weekly quota would peak out.

As for Apache: yes, it has to be stopped for generation as well as for renewal.

zhjim · 03-16-2016, 04:31 AM

If your crontab uses run-parts then files in the directory are processed in sequence. Cron itself runs things in parrallel. You can add a cronjob to your apache user.

Some more thoughts and questions:

You could use the last modified date of the generated cert files to see if a script needs renewal or creation. This way you could use a master script.
Is it really needed that the creation process runs in parrallel? Do you have enough entropy from /dev/{random,urandom} for this? Or are the servers of letsencrypt doing the body work?

Why don't you first create the new certs, stop apache, move old to backup, move new to correct path, start apache. Depending on how long the creation process takes you have a considerable down time.
Do you really need to stop apache? I know theres an option to have apache reread its configs and all new connection use the new settings. Also I'm not sure if this goes for certs as well.

Any deeper sense in regenerating those certificates once a month?

kikinovak · 03-16-2016, 01:06 PM

It's nice of you folks to help me, but this is not a thread on how LetsEncrypt works (e. g. yes, you have to stop Apache, etc.). Here's my question:

Are scripts in /etc/cron.monthly processed one after another, yes or no?

Thanks for staying on topic and actually answering my question.

Cheers,

Niki

phenixia2003 · 03-16-2016, 01:26 PM

Hello,

Quote:

Originally Posted by kikinovak

It's nice of you folks to help me, but this is not a thread on how LetsEncrypt works (e. g. yes, you have to stop Apache, etc.). Here's my question:

Are scripts in /etc/cron.monthly processed one after another, yes or no?

Thanks for staying on topic and actually answering my question.

Cheers,

Niki

According to the main loop of /usr/bin/run-parts (see below), scripts in /etc/cron.monthly *are* processed one after another :

Code:

for SCRIPT in $1/* ; do
  # If this is not a regular file, skip it:
  if [ ! -f $SCRIPT ]; then
    continue
  fi
  # Determine if this file should be skipped by suffix:
  SKIP=false
  for SUFFIX in $IGNORE_SUFFIXES ; do
    if [ ! "$(basename $SCRIPT $SUFFIX)" = "$(basename $SCRIPT)" ]; then
      SKIP=true
      break
    fi
  done
  if [ "$SKIP" = "true" ]; then
    continue
  fi
  # If we've made it this far, then run the script if it's executable:
  if [ -x $SCRIPT ]; then
    $SCRIPT || echo "$SCRIPT failed."
  fi
done

--
SeB

bassmadrigal · 03-16-2016, 01:56 PM

Starting one after the other has finished only occurs if you use run-parts (ie, you put all your scripts individually in /etc/cron.monthly). However, if you put them individually in your crontab, it'll still run them in order, however, they won't wait for the other to stop/finish (like appending an ampersand "&" at the end of a command). You can either add multiple scripts within /etc/cron.monthly/ or add one script that calls the scripts one after the other (just don't add an ampersand).

If, for future reference, you want scripts run in "parallel", you'll either need to use crontab or build a script that will start programs without waiting for others to finish (by using ampersands).

zhjim · 03-17-2016, 02:56 AM

Quote:

Originally Posted by kikinovak

Are scripts in /etc/cron.monthly processed one after another, yes or no?

If you would have read my first setence you would have got the answer.

kikinovak · 03-17-2016, 04:45 AM

Quote:

Originally Posted by phenixia2003

Hello,

According to the main loop of /usr/bin/run-parts (see below), scripts in /etc/cron.monthly *are* processed one after another

Merci beaucoup !