I seem to be having an issue with running the ssl renew command when using cron.
I am near 100% certain that I have the right configuration in my crontab -e(I have it set to renew once a month). Im running ubuntu OS.
I will post the command when I am done with my commute but wanted to see if this ticket might get any traction in the mean time. The command I run works to renew the cert when I simply run it myself.
Is this not how the auto renew should be done? I am assuming someone has encountered this before me.
First off, this is not the recommended way to set up cron. Best practice is to run renewal twice a day. Certbot will only attempt to renew certs within 30 days of expiration by default.
However, as to the reason cron isn't renewing, we're going to need some more information as there could be dozens of reasons. Seeing the cron job itself, as well as the logs after the scheduled job runs would be the first steps.
As there are no specific details I can only guess the answer is NO.
And that you are doing something different between when you successfully "run it myself" and fail "when using cron".
If you’re using Certbot, you can literally run certbot renew every day (we’ve even suggested twice per day). It looks at the expiry time of each certificate, so it means “renew anything that’s a month from expiring”, not “renew everything”.
If you do run it that infrequently, I hope you have a very reliable way that it can notify you if it fails (for example, due to an intermittent CA service outage).
The guide worked great, however the auto-renew cron job does not seem to fire on my server. I keep having to go in and manually run the update command to get my certs renewed.
I followed the guide carefully and placed the following in my crontab ( sudo crontab -e )
I think you gave us the wrong link because that’s not a DO guide.
I’m a little confused by why there is no output in that log file other than the OS package update information, but I’ll point out that you aren’t using renew as we intended it to be used. The default behavior of certbot renew is to check each installed certificate’s expiration date and renew it if it’s less than 30 days away from expiry.
Because of that, certbot renew can be run very frequently—we recommend running it twice per day. It will almost always look at the local certificates and decide that no action is necessary yet.
Although I don’t know why you don’t see messages to this effect in your logs, I’m guessing that the renew script decided that no action was necessary and therefore didn’t take any action.
There is a form --force-renewal where every certificate is forced to be renewed immediately, regardless of how close to expiry it is, but for various reasons we don’t recommend using that from cron. If you do want the certificate to be renewed sooner than 30 days before expiry, you can edit the renewal configuration files in /etc/letsencrypt/renewal and set renew_before_expiry to a higher value than the default 30 days (bearing in mind that if you choose a value higher than 82 days or if you have multiple certificates for subdomains of the same domain, you might run into rate limits from the certificate authority side).
For comparison, you could check what happens when you simply run /opt/letsencrypt/letsencrypt-auto renew yourself on the command line. Hopefully it will say something to the effect that it checked your local certificates and found that none of them were due for renewal yet.
Also, depending on what plugin you used, you may not need to reload nginx explicitly from your cron job. (With --nginx you probably don’t, while with --webroot you probably do.) Rather than always reloading nginx after running the renewal script, we have a form called --deploy-hook where you can say --deploy-hook "service nginx reload" or similar, in which case Certbot itself will run this command after obtaining new certificates.
We might have caused some unnecessary confusion by having a new person come into your thread and ask a possibly unrelated question. (Maybe I should have split it out into a new topic!) My recollection was that we thought your setup was OK… did you see something that made you think otherwise?