Certbot macOS crontab instructions need fixing

The current instructions for adding certbot renewal to /etc/crontab on macOS don't seem to work.

At least they don't seem to work on macOS High Sierra.

I had to modify the entry in crontab to have the complete path to certbot in order to get it to run.

I only discovered this after my certs expired because automatically renewing them via cron didn't work.

I think it might be better to modify the instructions to have users run "sudo crontab -e" and then paste the line into root's crontab entries rather than placing the entry in /etc/crontab. (Also, you have to remove "root" from the line when putting it inside root's crontab.)

Thanks for the report, we should fix this (macOS cron instructions don't work because Certbot isn't in the cron PATH · Issue #8974 · certbot/certbot · GitHub).

Did you install Certbot from Homebrew?

I think the aim here was to have a one-liner that could be copy pasted.

For some users, figuring out a terminal text editor might be a big ask.

Yes, that's how I installed it.

Good point, especially since "crontab -e" on my Mac, by default, invokes vi and not something a little more user friendly like nano.

Here's a one liner that will put the entry in root's crontab instead of /etc/crontab

sudo crontab -l | { cat; echo "0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q"; } | sudo crontab -

[correct me if I'm wrong]
But doesn't it do more than just add that one line?
If I read that correctly, the first part lists the current users cron entries.
The second part appends the line in question.
The third part inserts the output of the previous two as replacement entries into the root user's cron.
OR does that last part go into the current user's cron?

If third part writes to root user cron, then it seems to overwrite what was there.
If third part writes to current user, then it might not execute with proper credentials.
Only if the current user is root, does then this make sense (to me).

"sudo crontab -l" lists the root user's crontab entries.

Sorry for my shorter reply last night.

I tested this on my system before suggesting it here. The first part read from root's crontab and third part wrote to root's crontab on my macOS High Sierra computer. So, as far as adding that line to root's crontab (when run from a non-root account), it produced the desired result for me in my testing.

However, when I checked the Let's Encrypt logs this morning, certbot did not appear to have run some time after midnight last night. So, I'm doing some more testing to see why that is.

Basically, I've modified the entry in root's crontab to look like this:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && date >> /var/log/certbot.log && certbot renew >> /var/log/certbot.log 2>&1

So, that I can both see if the scheduled job is running as intended and to see what error is produced by trying to run certbot without a full path from root's crontab. (I had to add the full path to certbot in order to get it to run from /etc/crontab.)

OK, EDITOR=nano crontab -e.

But I like vi !
LOL

Turns out, placing the certbot command in root's crontab (without the full path), results in the following error:

/bin/sh: certbot: command not found

Just like when it was in /etc/crontab.

I always use full paths
[old sckool tips and tricks]

Point taken, except I started this thread because the instructions at:

...don't have the full path to certbot and I followed those instructions and thought my certs would auto renew and then they didn't.

This version of a one liner worked to put the entry in /etc/crontab with the full path to certbot on my High Sierra Mac:

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && $(which certbot) renew -q" | sudo tee -a /etc/crontab > /dev/null

If certbot is not in the crontab path here are three ways to fix it.

• Change or Set PATH in the crontab file

a@fumatica:~/threefive$ crontab -l
#
SHELL=/bin/sh
# This is the crontab PATH 
PATH=/bin:/sbin:/usr/bin:/usr/sbin 
HOME=/var/log
...

OR

• Use the absolute path instead of just calling certbot

/usr/local/bin/certbot renew

OR

• Use the which command with back ticks

    `which certbot` renew

This is not a problem with certbot, it's just how cron works.

I don't think anyone was saying that it's a problem with certbot. I think the problem is with the instructions at this web page:

https://certbot.eff.org/lets-encrypt/osx-apache

...especially the section titled "Set up automatic renewal".

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.