Auto-renew certbot certificate with plug dns-route53

Hi guys I have a problem with my auto renewing certificate. I am using dns-route53 plugin which is working perfectly. I need to make the renewing automatically to happen not even to enter commands like certbot renew or something similar.
My domain is: example.com

I ran this command: cat /etc/letsencrypt/renewal/example.com.conf

It produced this output:

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/example.com
and all the other things down

My web server is (include version): apache

The operating system my web server runs on is (include version): amazon linux 2

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don't know):yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.11.0

So my question is if I uncomment the # renew_before_expiry = 30 days line. Will the auto renewing happens automatically when = 30 days ?
Thanks in advance. There is no cron jobs.

No, Certbot will renew from 30 days anyway (when running certbot renew), that's the default. The line you're mentioning should be left untouched.

Well, there's your problem. Certbot isn't a daemon/service itself, it just runs once and then quits. It can't magically start renewing certs, it needs a cronjob or systemd timer to run certbot renew periodically, usually twice a day.

Depending on how you installed Certbot, a systemd timer would already be provided. And some distribution packages also add a cronjob.

1 Like

Thanks , Can you suggest me a proper commands for this ? I do not want to break something.

1 Like

The proper command is certbot renew. Or sudo certbot renew if not logged in as root.

1 Like

I did that last time (sudo certbot renew), now it is day 30 before expiring and it is not auto renewed. Do you need any specific configuration to see ?

The output of the sudo certbot renew command is probably more useful. And with that the sudo certbot certificates command will come in handy.

1 Like

Okay I will give you the output but I saw now a error :slight_smile:

Failed to renew certificate example.com with error: Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.

The problem is that there's nothing changed. I didn't change the aws keys or something like that on the amazon linux, also the policy is attached on the user. arghhh

Fixed it, the sudo aws doesn't had the key..

Could you use the sudo option --preserve-env=list for that perhaps?

1 Like

This is after sudo certbot renew,

Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Renewing an existing certificate for alpha.example.com and 5 more domains
Performing the following challenges:
dns-01 challenge for alpha.example.com
dns-01 challenge for example.com
dns-01 challenge for developers.example.com
dns-01 challenge for docs.example.com
dns-01 challenge for go.example.com
dns-01 challenge for example.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/coherent-labs.com/fullchain.pem

This is after sudo certbot certificates,

  Certificate Name: example.com
    Serial Number: 37de1dsdsdsdsaa
    Key Type: RSA
    Domains: alpha.example.comexample.com developers.example.com docs.example.com go.example.com www.example.com
    Expiry Date: 2024-03-18 12:44:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Everything is okay, so will now automatically renew the certificate ? When it is reached 30 days before expiring ?

1 Like

That works too instead of environment variables of course :slight_smile:

That depends. As said before, Certbot is not a daemon/service, but needs a cronjob or systemd timer to have certbot renew (with or without sudo, depending on the user of the cronjob) ran twice a day.

2 Likes

So basically now if I run again certbot renew it will give me output that the certificate does not need to be renewed ? And I need cronjob for that certbot renew 2 times a day so it will check every dayx2 and when it will reach the 30 days before expiring the cron job will renew the cert ?

Yes, it should say that.

Correct.

3 Likes

Thanks you very much Osiris :slight_smile: It is all clear for me now :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.