Auto-renew certbot certificate with plug dns-route53

Help
1

Hi guys I have a problem with my auto renewing certificate. I am using dns-route53 plugin which is working perfectly. I need to make the renewing automatically to happen not even to enter commands like certbot renew or something similar.
My domain is: example.com

I ran this command: cat /etc/letsencrypt/renewal/example.com.conf

It produced this output:

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/example.com
and all the other things down

My web server is (include version): apache

The operating system my web server runs on is (include version): amazon linux 2

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don't know):yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.11.0

So my question is if I uncomment the # renew_before_expiry = 30 days line. Will the auto renewing happens automatically when = 30 days ?
Thanks in advance. There is no cron jobs.

2

No, Certbot will renew from 30 days anyway (when running certbot renew), that's the default. The line you're mentioning should be left untouched.

Well, there's your problem. Certbot isn't a daemon/service itself, it just runs once and then quits. It can't magically start renewing certs, it needs a cronjob or systemd timer to run certbot renew periodically, usually twice a day.

Depending on how you installed Certbot, a systemd timer would already be provided. And some distribution packages also add a cronjob.

1 Like
4

Thanks , Can you suggest me a proper commands for this ? I do not want to break something.

1 Like
5

The proper command is certbot renew. Or sudo certbot renew if not logged in as root.

1 Like
6

I did that last time (sudo certbot renew), now it is day 30 before expiring and it is not auto renewed. Do you need any specific configuration to see ?

7

The output of the sudo certbot renew command is probably more useful. And with that the sudo certbot certificates command will come in handy.

1 Like
8

Okay I will give you the output but I saw now a error :slight_smile:

Failed to renew certificate example.com with error: Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.

The problem is that there's nothing changed. I didn't change the aws keys or something like that on the amazon linux, also the policy is attached on the user. arghhh

9

Fixed it, the sudo aws doesn't had the key..

10

Could you use the sudo option --preserve-env=list for that perhaps?

1 Like
11

This is after sudo certbot renew,

Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Renewing an existing certificate for alpha.example.com and 5 more domains
Performing the following challenges:
dns-01 challenge for alpha.example.com
dns-01 challenge for example.com
dns-01 challenge for developers.example.com
dns-01 challenge for docs.example.com
dns-01 challenge for go.example.com
dns-01 challenge for example.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/coherent-labs.com/fullchain.pem

This is after sudo certbot certificates,

  Certificate Name: example.com
    Serial Number: 37de1dsdsdsdsaa
    Key Type: RSA
    Domains: alpha.example.comexample.com developers.example.com docs.example.com go.example.com www.example.com
    Expiry Date: 2024-03-18 12:44:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Everything is okay, so will now automatically renew the certificate ? When it is reached 30 days before expiring ?

1 Like
12

That works too instead of environment variables of course :slight_smile:

That depends. As said before, Certbot is not a daemon/service, but needs a cronjob or systemd timer to have certbot renew (with or without sudo, depending on the user of the cronjob) ran twice a day.

2 Likes
13

So basically now if I run again certbot renew it will give me output that the certificate does not need to be renewed ? And I need cronjob for that certbot renew 2 times a day so it will check every dayx2 and when it will reach the 30 days before expiring the cron job will renew the cert ?

14

Yes, it should say that.

Correct.

3 Likes
15

Thanks you very much Osiris :slight_smile: It is all clear for me now :slight_smile:

3 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.