Auto-renew failure, manual renewal fine

pata.physics.wtf + dr.physics.wtf
Nginx 1.6.2 - Debian Jessie 8.3
certbot-auto version 0.36.0
I have root access


My problem seems to be the auto-renew cron job.
It doesn’t seem to trigger automatically and I just don’t know why. I’ve been manually renewing for some time, I even reinstalled certbot at some point and re-issued new certificates but to no avail.

Dry runs are successful. Manual renewals are successful.

My logs show a last entry early may, but nothing else until my dry-run today. Back then the renewal wasn’t due and it didn’t show any errors.

This is the entry when I check cron (using crontab -l):
* */12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /etc/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"

I’m at a loss. Any pointers or help are much appreciated.

I am not a Debian user, or nginx for that matter; but is it possible that you have forgotten to restart the cron service after adding the renew line?

Also, on my system, the crontab entry looks as shown below (if that is of any help to you):

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
#
0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

Finally, I have the option of installing either certbot or certbot-apache. The first will give me no end of bad problems, the second works because it adds an Apache module. Could something like this be the cause of your problem?

Thanks for the quick response.
I honestly don’t remember if I restarted cron, so it’s a good possibility that I didn’t. First time I’m dealing with cron thanks to certbot.

I’ve restarted it now, so I’ll report back tomorrow on if that fixed it :slight_smile:

Hi @fania,

Do you have certbot-auto in /etc/certbot-auto? What happens if you run this command ( /etc/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start") from the command line?

Is this your regular user crontab? Normally certbot-auto needs to be run as root (it will prompt you with sudo if run interactively as a non-root user), so you might have a permissions problem if running it as a regular user from crontab.

I’ve never encountered that. The crontab program normally installs the crontab file in a way that draws the cron service’s attention to the changes without a need for a restart.

1 Like

Hey @schoen, thanks for the answer.

I’ve run /etc/certbot-auto renew --dry-run --pre-hook "service nginx stop" --post-hook "service nginx start" fine without any sudo while logged in as root.

I’m not entirely sure how I check what user my crontab is for but both sudo crontab -l and crontab -l show the previously posted cron job.

Do you have updated logs in /var/log/letsencrypt showing that Certbot is getting run from cron every day?

No problem, - I hope the advice from either myself or schoen helps you resolve the problem.

FWIW, according to crontab.guru, that runs “at every minute past every 12th hour.”

That’s far from what you’d want, but it would result in Certbot running regularly.

On the other hand, it would probably result in Certbot processes running simultaneously, which could go wrong somehow.

So it appears after restarting cron with sudo /etc/init.d/cron restart my certificates successfully renewed over night.

The logs are interesting: the last entry from before yesterday was from 2nd May. Then I did a dry-run last night. And then the actual renew was triggered around midnight. Since then I’ve also had quite a few logs so I will definitely have to change the cron job timing as @mnordhoff suggested.

This is interesting since @schoen’s comment that cron shouldn’t need to be restarted. Could that be a specific quirk to my OS/server setup?

Either way, I’m grateful it’s now sorted. I learned something new, yay!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.