Automated renewals fail

This automated renewal failed:

Processing /usr/local/etc/letsencrypt/renewal/paulbeard.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 42.27417180936647 seconds
Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.")
Attempting to renew cert ([paulbeard.org](http://paulbeard.org/)) from /usr/local/etc/letsencrypt/renewal/paulbeard.org.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly."). Skipping.

Running the same command manually worked.

Processing /usr/local/etc/letsencrypt/renewal/paulbeard.org.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator nginx, Installer nginx

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for paulbeard.org

Waiting for verification...

Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed with reload of nginx server; fullchain is

/usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
paulbeard.org
I ran this command:
see above

It produced this output:
see above

My web server is (include version):
nginx 1.7
The operating system my web server runs on is (include version):
FreeBSD
My hosting provider, if applicable, is:
None
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.4.0

1 Like

Can we se this file?:

And where/how the failing job is run automatically.

1 Like

I should have mentioned that two other certificates were evaluated (not due for renewal) at the same time.

cat /usr/local/etc/letsencrypt/renewal/paulbeard.org.conf

renew_before_expiry = 30 days

version = 1.4.0
archive_dir = /usr/local/etc/letsencrypt/archive/paulbeard.org
cert = /usr/local/etc/letsencrypt/live/paulbeard.org/cert.pem
privkey = /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem
chain = /usr/local/etc/letsencrypt/live/paulbeard.org/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem

Options used in the renewal process

[renewalparams]
account = [redacted]
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

1 Like

That file seems normal.

Now to the real issue:

via /etc/crontab, same as the other two (all as one job).

OK that is the where.
Can you show the how (exactly) ?

0 0 * * * root /usr/local/bin/python -c ‘import random; import time; time.sleep(random.random() * 86400)’ && /usr/local/bin/certbot renew

Is PATH in the cron environment set appropriately so that nginx can be found?

It seems likely if it works for two of the three instances it has to manage.

[root@www ~]# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

[root@www ~]# echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

[root@www ~]# which nginx
/usr/local/sbin/nginx

What’s PATH in cron, though?

why would it be able to renew two of three certificates if it couldn’t find the nginx binary?

I have edited PATH in /etc/crontab: PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

maybe that will make all three processes work. This has been in place for months and often fails when certbot is updated. Has to be run by hand and then runs fine til the next update.

I find a noticeable difference between the two paths:

Some unique entries:
/etc
/root/bin

And ordering (sbin then bin):
/sbin:/bin
/usr/sbin:/usr/bin
/usr/local/sbin:/usr/local/bin

vs (bin then sbin)
/bin:/sbin
/usr/bin:/usr/sbin
/usr/local/bin:/usr/local/sbin

Ordering may not be much of a problem, but the uniqueness does seem to point to a potential problem. [not even sure why /etc made (the front of) the list]
Can you try making the cron path more similar to the working one?

Hello, you should tell off your script that you want to use permission for executing the renew from the different directory where you put your script for renewing!

BR V.Varbanovski S.A.I.E

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.