Cron job for cert renewal on Amazon Linux


#1

I just created my first cron job for renewing certs using certbot-auto. The advice and examples for this online are all over the map, but I found what I think is the recommended solution–running certbot-auto renew twice a day at random times withing designated hours. Would some gurus be willing to just look over my code here and tell me if this is correct? Much appreciated. This is on Amazon Linux EC2 with Apache 2.4. Certbot-auto is installed in the ec2-user home directory.

0 3,15 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo ./home/ec2-user/certbot-auto renew –debug

I do not have to restart Apache separately, correct? Doesn’t certbot-auto do that when it renews the cert?

Thanks for the tips.


#2

You can’t use sudo non-interactively in a crontab like that. You should put it into root’s crontab and remove the sudo.

Remove the leading . on the path to certbot-auto as well.

That is entirely up to your renewal parameters, defined in /etc/letsencrypt/renewal/*.conf.


#3

Thanks–I’ll remove sudo and the leading . in the path. I ran sudo nano /etc/crontab so that should have put it in the root crontab right?

Do I test this by logging in as root and running that command with --dry-run appended to the end?

And will my log show a record of the cron job running so I can confirm it’s working?


#4

It should appear in the cron log (either /var/log/cron or journalctl -u cron) and also in /var/log/letsencrypt/.

Yes, that should work.

That’s right.

To expand on this, it depends what installer was used to issue the certificate. If you used certonly or --installer/-i none, then you will need to restart Apache manually. If you used --apache, then you don’t need to do anything.


#5

Thanks much.

I noticed when I ran certbot-auto renew --debug manually earlier today, it seemed to indicate that Apache was restarted and the date shown by my browser was correctly updated, so I’m thinking I don’t need to add an Apache restart to the cron job.

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test.swansislandcompany.com/fullchain.pem

#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.