Cron job for cert renewal on Amazon Linux

EdGeis · June 5, 2018, 9:40pm

I just created my first cron job for renewing certs using certbot-auto. The advice and examples for this online are all over the map, but I found what I think is the recommended solution–running certbot-auto renew twice a day at random times withing designated hours. Would some gurus be willing to just look over my code here and tell me if this is correct? Much appreciated. This is on Amazon Linux EC2 with Apache 2.4. Certbot-auto is installed in the ec2-user home directory.

0 3,15 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo ./home/ec2-user/certbot-auto renew –debug

I do not have to restart Apache separately, correct? Doesn’t certbot-auto do that when it renews the cert?

Thanks for the tips.

_az · June 5, 2018, 9:43pm

You can't use sudo non-interactively in a crontab like that. You should put it into root's crontab and remove the sudo.

Remove the leading . on the path to certbot-auto as well.

That is entirely up to your renewal parameters, defined in /etc/letsencrypt/renewal/*.conf.

EdGeis · June 5, 2018, 9:49pm

Thanks–I’ll remove sudo and the leading . in the path. I ran sudo nano /etc/crontab so that should have put it in the root crontab right?

Do I test this by logging in as root and running that command with --dry-run appended to the end?

And will my log show a record of the cron job running so I can confirm it’s working?

_az · June 5, 2018, 9:52pm

It should appear in the cron log (either /var/log/cron or journalctl -u cron) and also in /var/log/letsencrypt/.

Yes, that should work.

That's right.

To expand on this, it depends what installer was used to issue the certificate. If you used certonly or --installer/-i none, then you will need to restart Apache manually. If you used --apache, then you don't need to do anything.

EdGeis · June 5, 2018, 9:57pm

Thanks much.

I noticed when I ran certbot-auto renew --debug manually earlier today, it seemed to indicate that Apache was restarted and the date shown by my browser was correctly updated, so I’m thinking I don’t need to add an Apache restart to the cron job.

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem

system · July 5, 2018, 9:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Apache ec2 renew doubts Help	2	928	December 6, 2017
Auto-renew certbot certificate with plug dns-route53 Help	14	1570	January 18, 2024
Auto-renewal debugging, any official guide? Help	3	1457	January 13, 2017
Creating certbot-auto renew cron job is problematic Help	3	5906	November 14, 2019
Instructions for replacing certbot-auto Help	8	4908	August 9, 2021

Cron job for cert renewal on Amazon Linux

Related topics