Cron job to run every 90 days vs. 3 months?

I ran sudo certbot --apache and it set up a cron job to renew my cert automatically, supposedly every 90 days:

0   7  8   2,5,8,11  *     /usr/bin/certbot renew

However, this cron job doesn’t run every 90 days. It runs every 3 months. That means it’ll sometimes be off by a day or two, leaving an invalid SSL cert during that time. Right now, for example, the Let’s Encrypt Expiry Bot is telling me that my cert will expire on 07 Feb 18 18:37 +0000. Notice that my cron job won’t run until 08 Feb 2018, a day late.

I can hand-edit this cron job to run (say) every other month to avoid a gap in SSL coverage, but shouldn’t this problem not happen when certbot sets things up for auto-renewal?

This is certbot 0.19.0 on Ubuntu 16.04 Xenial with Apache 2.4. The domain is kidreviewz.com.

Thanks!

You can (and should) run certbot renew every day.

It will not do anything if certificates do not need to be renewed.

Your approach (once every 90 days) is dangerous because any intermittent issue will cause Certbot to fail, and there would not be a further attempt until another 90 days have elapsed.

Thanks for the info. The cron job was set up automatically for me during the certbot installation/config process. Should I report this behavior as a bug?

I am not sure where that cron entry would have come from.

Looking at the python-certbot 16.04 package, it contains a cron entry and a systemd timer:

# /etc/cron.d/certbot: crontab entries for the certbot package                                                                                                                                                     
#                                                                                                                                                                                                                  
# Upstream recommends attempting renewal twice a day                                                                                                                                                               
#                                                                                                                                                                                                                  
# Eventually, this will be an opportunity to validate certificates                                                                                                                                                 
# haven't been revoked, etc.  Renewal will only occur if expiration                                                                                                                                                
# is within 30 days.                                                                                                                                                                                               
SHELL=/bin/sh                                                                                                                                                                                                      
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin                                                                                                                                                  
                                                                                                                                                                                                                   
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew                                                                                     

and

[Unit]                                                                                                  
Description=Run certbot twice daily                                                                     
                                                                                                        
[Timer]                                                                                                 
OnCalendar=*-*-* 00,12:00:00                                                                            
RandomizedDelaySec=3600                                                                                 
Persistent=true                                                                                         
                                                                                                        
[Install]                                                                                               
WantedBy=timers.target                                                                                  

neither of which look like what you have.

The certbot codebase itself does not create cron entries as far as I can tell, it is left up to the packager.

Can you check for /etc/cron.d/certbot existence?

@schoen does OP’s cron entry look familiar? Maybe from an ancient version of certbot?

Thanks so much. /etc/cron.d/certbot exists with the content you showed. I’ve deleted the bogus entry that I found in root’s crontab.

@_az. no, I haven’t seen that before.

@joohoi @bmw, have you seen something like this? Did someone perhaps get confused downstream by some of the packaging advice?

There are versions of this advice in

http://roadl.com/article/skill/certbot.html

but neither seems to match what @mymph had.

I’m not aware of any of our packagers including such a cronjob. Also @mymph said that this was in root’s (user) crontab. This suggests that someone has added it there manually.

I wonder if the system was / is managed by multiple users, and someone could have manually added that based on a misguiding tutorial previously?

It’s possible. I recommend you close this ticket since there’s a chance that the cron entry was added manually.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.