Holy moly!
If systemd timers are installed, then they are running, and are the preferred way of executing certbot.
So we force the almighty CRON (all hail the CRON) to defer to systemd the DEVINE!
2 Likes
That makes sense. So are they, here? If so, how do we check what the great systemd has on its slate?
2 Likes
I'm not too familiar. I do need to bounce though. Back later. I think the answer is afoot. 
2 Likes
I can vouch for that - rare indeed!
1 Like
I just get the output:
total 0
I haven't changed the crontab to remove 'root'. I'll check back here tomorrow to see where we're at. As the certs were renewing prior to two months ago, and the crontab contained 'root', something must have been working...sorta.
2 Likes
OK so that means /run/systemd/system is empty (not there).
This is good to know.
Yes, now we wait...
2 Likes
60 days? 
2 Likes
We can alter that wait time (temporarily) for testing.
Please show:
certbot certificates
And the renewal config that covers the domain in question.
2 Likes
sudo certbot certificates
output:
Found the following certs:
Certificate Name: vestasit.com
Domains: vestasit.com www.vestasit.com
Expiry Date: 2021-05-23 23:10:50+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/vestasit.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vestasit.com/privkey.pem
cat /etc/letsencrypt/renewal/vestasit.com.conf
output:
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/vestasit.com
cert = /etc/letsencrypt/live/vestasit.com/cert.pem
privkey = /etc/letsencrypt/live/vestasit.com/privkey.pem
chain = /etc/letsencrypt/live/vestasit.com/chain.pem
fullchain = /etc/letsencrypt/live/vestasit.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = [account number]
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
renew_hook = /usr/local/lsws/bin/lswsctrl reload
[[webroot_map]]
vestasit.com = /var/www/html
www.vestasit.com = /var/www/html
2 Likes
You can temporarily change this line:
to:
renew_before_expiry = 87 days
And it should attempt to renew tomorrow.
[then put it back to 30 days or just rem it out]
4 Likes
"rem it out" meaning "add the # mark at the beginning again to disable this line of the configuration"
4 Likes
My bad - LOL
That is a bit "old school".
2 Likes
It has been changed and the dry run was successful. I'll check back tomorrow to ensure that the real certificates renewed.
3 Likes
So far no renewal. I'll check again tomorrow in case it needs to be less than 87 days.
3 Likes
It needs to be less than 87 days. You probably should have set it to 89 days.
2 Likes
We can change it to 88 and wait (up to) 12 hours to be sure.
AND
We can look in the logs to see if it has yet even tried to renew.
2 Likes
The certificate has renewed but I've checked a few browsers and they haven't picked up the new certificate. So am I back to my original problem? Or should I just give the browsers another day or two? I've tried hard refreshes but they're still showing the certificate that expires May 23 as opposed to the new one that expires on May 26.
2 Likes
The certificate has renewed but I've checked a few browsers and they haven't picked up the new certificate. So am I back to my original problem? Or should I just give the browsers another day or two? I've tried hard refreshes but they're still showing the certificate that expires May 23 as opposed to the new one that expires on May 26.
Here is a small selection from the debug log in /var/log/letsencrypt/letsencrypt.log
2021-02-26 00:28:09,125:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/vestasit.com.conf.new.
2021-02-26 00:28:09,127:INFO:certbot.hooks:Running deploy-hook command: /usr/local/lsws/bin/lswsctrl reload
2021-02-26 00:28:09,136:INFO:certbot.hooks:Output from lswsctrl:
[ERROR] litespeed is not running.
2021-02-26 00:28:09,136:ERROR:certbot.hooks:Hook command "/usr/local/lsws/bin/lswsctrl reload" returned error code
2
2021-02-26 00:28:09,144:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-02-26 00:28:09,145:DEBUG:certbot.renewal:no renewal failures
2021-02-26 13:45:37,950:DEBUG:certbot.main:certbot version: 0.31.0
It looks like there's an error with the hook that reloads the server. But, when I check the log in /usr/local/lsws/logs/lsrestart.log, which I assume is a log of when the server has reloaded/restarted, I find the last few entries as
Tue Feb 23 00:10:52 UTC 2021
reload, LSWS running: 1
Fri Feb 26 00:28:09 UTC 2021
reload, LSWS running: 0
I feel like this means that it reloaded today. But even more confusing (maybe just to me) is that we removed that post-deploy reload hook from the crontab. But the server still reloaded?
crontab:
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
The hook is still in the config file /etc/letsencrypt/renewal/vestasit.com.conf:
# Options used in the renewal process
[renewalparams]
account = 1812750b834e59f2737f09ac1728fe0d
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
renew_hook = /usr/local/lsws/bin/lswsctrl reload
[[webroot_map]]
vestasit.com = /var/www/html
www.vestasit.com = /var/www/html
This is exactly what's been going on for about a year now. I have changed the hook in crontab a few times in the past but it has never solved the issue. Apparently it tries to run the hook even through it's not in crontab. What do I do next?
2 Likes
I found this forum where others are having the same issue. It doesn't seem that anyone has found a working solution yet either.
2 Likes