pata.physics.wtf + dr.physics.wtf
Nginx 1.6.2 - Debian Jessie 8.3
certbot-auto version 0.36.0
I have root access
My problem seems to be the auto-renew cron job.
It doesn’t seem to trigger automatically and I just don’t know why. I’ve been manually renewing for some time, I even reinstalled certbot at some point and re-issued new certificates but to no avail.
Dry runs are successful. Manual renewals are successful.
My logs show a last entry early may, but nothing else until my dry-run today. Back then the renewal wasn’t due and it didn’t show any errors.
This is the entry when I check cron (using crontab -l): * */12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /etc/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"
I’m at a loss. Any pointers or help are much appreciated.
I am not a Debian user, or nginx for that matter; but is it possible that you have forgotten to restart the cron service after adding the renew line?
Also, on my system, the crontab entry looks as shown below (if that is of any help to you):
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
#
0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
Finally, I have the option of installing either certbot or certbot-apache. The first will give me no end of bad problems, the second works because it adds an Apache module. Could something like this be the cause of your problem?
Thanks for the quick response.
I honestly don’t remember if I restarted cron, so it’s a good possibility that I didn’t. First time I’m dealing with cron thanks to certbot.
I’ve restarted it now, so I’ll report back tomorrow on if that fixed it
Do you have certbot-auto in /etc/certbot-auto? What happens if you run this command ( /etc/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start") from the command line?
Is this your regular user crontab? Normally certbot-auto needs to be run as root (it will prompt you with sudo if run interactively as a non-root user), so you might have a permissions problem if running it as a regular user from crontab.
I've never encountered that. The crontab program normally installs the crontab file in a way that draws the cron service's attention to the changes without a need for a restart.
I’ve run /etc/certbot-auto renew --dry-run --pre-hook "service nginx stop" --post-hook "service nginx start" fine without any sudo while logged in as root.
I’m not entirely sure how I check what user my crontab is for but both sudo crontab -l and crontab -l show the previously posted cron job.
So it appears after restarting cron with sudo /etc/init.d/cron restart my certificates successfully renewed over night.
The logs are interesting: the last entry from before yesterday was from 2nd May. Then I did a dry-run last night. And then the actual renew was triggered around midnight. Since then I’ve also had quite a few logs so I will definitely have to change the cron job timing as @mnordhoff suggested.
This is interesting since @schoen’s comment that cron shouldn’t need to be restarted. Could that be a specific quirk to my OS/server setup?
Either way, I’m grateful it’s now sorted. I learned something new, yay!