Certbot cron is not working

every time manually I run command "certbot --nginx" because my cron command
"/usr/bin/certbot --nginx certonly --force-renewal -n -d mydoma.in" does not working.
and manually "certbot renew --dry-run" does not working, I get error "/etc/letsencrypt/options-ssl-nginx.conf has been manually modified; updated file saved to /var/lib/snapd/snap/certbot/1582/lib/python3.8/site-packages/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf. We recommend updating /etc/letsencrypt/options-ssl-nginx.conf for security purposes."
But I didn't modify ANY file in directory /etc/letsencrypt.
What have I do for success cron renewal?????????????????

That message sounds more like a warning than an actual error.. Are you sure your certificates aren't getting renewed? Or maybe there's another error somewhere in the log file?

Also, never use --force-renewal in a cron command! That is a very bad idea as it would probably get you in trouble with rate limits and waste a lot of Let's Encrypt resources by unnecessarily renewing certificates when that isn't even required! Please don't do that.

Another thing that just crossed my mind: could you perhaps have multiple installations of certbot? I.e., a snap version and also a version installed by your distributions package manager? Maybe that explains why the snap version thinks your options-ssl-nginx.conf is different, maybe because it was put there by a different version of certbot.


In case you missed the small but important details:

Please show these outputs:
certbot --version
/usr/bin/certbot --version
which certbot

certbot 1.21.0
certbot 1.21.0

yesterday I did the following:

yum remove certbot
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

in cron:
0 15 1 */2 * /usr/bin/certbot certonly --nginx > /dev/null 2>&1 && /usr/bin/systemctl restart nginx > /dev/null 2>&1
hope this will help. thank you all for helping.

1 Like

That's not the renew command, I'm actually more interested in seeing why certbot renew --dry-run fails..

Also, I would recommend to use --quiet instead of redirecting all output to /dev/null. By using --quiet certbot shouldn't spam you with useless info when ran from cron, but you should be informed when there is an issue. By redirecting everything to /dev/null you wouldn't notice anything until it's too late or you'd need to monitor the log files separately.


Please see if certbot snap has already created a systemd timer to handle the automated renewals.
systemctl list-timers --all | grep certbot

NEXT                         LEFT          LAST                         PASSED  UNIT                         ACTIVATES
Fri 2021-11-05 21:14:00  2h 27min left Fri 2021-11-05 06:28:02  12h ago snap.certbot.renew.timer     snap.certbot.renew.service

so I don't need cron?)
but how to increase the timer interval, I do not want it to work every hour/day/etc
or I just disable it ...


What do you mean?
systemd works all the time and it barely uses any resources.
The timer trigger for certbot is only twice a day - the recommended interval to check for expired certs.

1 Like

See last trigger:

Not triggered 24/7/365.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.