every time manually I run command "certbot --nginx" because my cron command
"/usr/bin/certbot --nginx certonly --force-renewal -n -d mydoma.in" does not working.
and manually "certbot renew --dry-run" does not working, I get error "/etc/letsencrypt/options-ssl-nginx.conf has been manually modified; updated file saved to /var/lib/snapd/snap/certbot/1582/lib/python3.8/site-packages/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf. We recommend updating /etc/letsencrypt/options-ssl-nginx.conf for security purposes."
But I didn't modify ANY file in directory /etc/letsencrypt.
What have I do for success cron renewal?????????????????
That message sounds more like a warning than an actual error.. Are you sure your certificates aren't getting renewed? Or maybe there's another error somewhere in the log file?
Also, never use --force-renewal in a cron command! That is a very bad idea as it would probably get you in trouble with rate limits and waste a lot of Let's Encrypt resources by unnecessarily renewing certificates when that isn't even required! Please don't do that.
Another thing that just crossed my mind: could you perhaps have multiple installations of certbot? I.e., a snap version and also a version installed by your distributions package manager? Maybe that explains why the snap version thinks your options-ssl-nginx.conf is different, maybe because it was put there by a different version of certbot.
3 Likes
In case you missed the small but important details:
Please show these outputs:
certbot --version
/usr/bin/certbot --version
which certbot
2 Likes
certbot 1.21.0
certbot 1.21.0
/usr/bin/certbot
yesterday I did the following:
yum remove certbot
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
in cron:
0 15 1 */2 * /usr/bin/certbot certonly --nginx > /dev/null 2>&1 && /usr/bin/systemctl restart nginx > /dev/null 2>&1
hope this will help. thank you all for helping.
1 Like
That's not the renew command, I'm actually more interested in seeing why certbot renew --dry-run fails..
Also, I would recommend to use --quiet instead of redirecting all output to /dev/null. By using --quiet certbot shouldn't spam you with useless info when ran from cron, but you should be informed when there is an issue. By redirecting everything to /dev/null you wouldn't notice anything until it's too late or you'd need to monitor the log files separately.
3 Likes
Please see if certbot snap has already created a systemd timer to handle the automated renewals.
Show:
systemctl list-timers --all | grep certbot
2 Likes
NEXT LEFT LAST PASSED UNIT ACTIVATES
Fri 2021-11-05 21:14:00 2h 27min left Fri 2021-11-05 06:28:02 12h ago snap.certbot.renew.timer snap.certbot.renew.service
so I don't need cron?)
but how to increase the timer interval, I do not want it to work every hour/day/etc
or I just disable it ...
No.
What do you mean?
systemd works all the time and it barely uses any resources.
The timer trigger for certbot is only twice a day - the recommended interval to check for expired certs.
1 Like
See last trigger:
Not triggered 24/7/365.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.