The cron job created by certbot contains:
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew
The part which tests for the /run/systemd/system directory not existence will always evaluate to false so the renewal should never happen. Is this a bug?
Does it run or not?
A simple test on if it has run or not would be:
grep renewal /var/log/letsencrypt/letsencrypt* | more
I’ve just got my 1th key pair so no renew for the moment.
Certbot is actually using a systemd timer (/lib/systemd/system/certbot.timer) for the renewals, on systems that use systemd. The cron job is a fallback for systems that don’t use systemd, so it first checks if systemd is available and bails out if so. Ubuntu 16.04 does use systemd, so on that system the systemd timer should run and the cron job should not.
Not sure what web server you are using but I just wrote my own bash script like this
#!/bin/bash
cd /opt/certbot
sudo ./certbot-auto renew --renew-hook "service nginx reload" >> /var/log/certbot-renew.log | mail -s "CERTBOT Renewals server1.mydomain.com" me@mydomain.com < /var/log/certbot-renew.log
exit 0
which then triggers with cron every day at 8pm
00 20 * * * /bin/certbotrenew.sh
The logic is sound and programming is clean 
(liked)
But does it scale well?
It seems you are emailing the entire logfile; which will continue to grow and grow over time.
So the only thing I would consider adding, would be to roll the logs at some date or size interval or maybe just email a tail piece of the log.
Or you could separate the most recent log entry into its’ own file and just email that file then append it to the larger complete history file.
I left one line off my bash script, this is how it really looks to deal with that problem
#!/bin/bash
cd /opt/certbot
sudo ./certbot-auto renew --renew-hook "service nginx reload" >> /var/log/certbot-renew.log | mail -s "CERTBOT Renewals server1.mydomain.com" me@mydomain.com < /var/log/certbot-renew.log
sudo truncate -s 0 /var/log/certbot-renew.log
exit 0Well if your going to truncate it, why even use “>>” ? Just use “>”; that should overwrite the original file.
I think you could keep the history though (other than the emailed history) via separating it into /var/log/certbot-renew-latest.log file, email that small one, and then append it to the larger /var/log/certbot-renew.log historical file.
It should only grow every ~60 days, so it can’t really get that big.
Well spotted … now I can reduce my bash script by one line of code 
I don’t really need the history of that log file as it’s all in /var/log/letsencrypt/letsencrypt.log which is enough for me.
I’m going to try this new approach for a little while and see.
#!/bin/bash
cd /opt/certbot
sudo ./certbot-auto renew --renew-hook "service nginx reload" > /var/log/certbot-renew-mailout.log | mail -s "CERTBOT Renewals server1.mydomain.com" me@mydomain.com < /var/log/certbot-renew-mailout.log
exit 0
… if you see how many servers I operate and how many GIT repo’s I operate I have enough history to last me a lifetime.
Here’s a bash script I originally got from @serverco which I never quite got to work properly until this morning, I had a stupid typo in it but this works great and keeps the history log. You can do any variations you like on the command run like sudo /opt/certbot/certbot-auto renew --post-hook "service nginx reload"
#!/bin/bash
# Run our Certbot Renew Command and Send the Output to our variable "cboutput"
cboutput=$(sudo /opt/certbot/certbot-auto renew)
# If The Command Returned Output Then Send a Mail and Append to our Log File
if [[ ! -z "$cboutput" ]]; then
echo "$cboutput" | mail -s "CERTBOT Renewals - server1.com" me@myemail.com
echo "$cboutput" >> /var/log/certbot-renew.log
fi
exit 0
So if you prefer running the standalone authenticator which some people do because they can not get their acme challenges working properly you could do something like this
#!/bin/bash
# Run our Certbot Renew Command and Send the Output to our variable "cboutput"
cboutput=$(sudo /opt/certbot/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" )
# If The Command Returned Output Then Send a Mail and Append to our Log File
if [[ ! -z "$cboutput" ]]; then
echo "$cboutput" | mail -s "CERTBOT Renewals - server1.com" me@myemail.com
echo "$cboutput" >> /var/log/certbot-renew.log
fi
exit 0This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.