Cron Timer, Renewal, adjust trigger?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: teamsaluda.com (honeypot)

I ran this command: N/A

It produced this output: N/A

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-112-generic x86_64)

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

##################################

Hello,
I just upgraded from Let’sEncrypt to Certbot, following the instructions at https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

It worked, thank you very much!

Now I have two questions about the Cron / Timer job which was installed to auto update certs.

1: Why does this run twice a day, if auto renews are attempted if cert is expiring within 30 days?
In my “lean” mindset, that seems like a waste of resources.

2: Can the cron job trigger be changed to weekly, and how?

using $ ps -p1 #comment: ( number 1 not letter l)
I see I am using systemd timers, not cron jobs.

I found 3 certbot.timer files:
/lib/systemd/system/certbot.timer
/etc/systemd/system/timers.target.wants/certbot.timer
(both files are identical)
/var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/certbot.timer
(this file is blank)

? 2a: Which of those files do I edit to change the Calendar trigger to weekly?

Note to others reading this: after editing timer, reload daemon https://www.freedesktop.org/software/systemd/man/systemctl.html#daemon-reload

Thanks!

1 Like

There are a few reasons it runs frequently:

  • So that all of your certificates don’t bunch up and renew at the same time. That would make load spikier for you and for Let’s Encrypt, and would have implications with the rate limits.

  • The more attempts it makes to renew a certificate, the less likely it is for a temporary outage to allow a certificate to expire.

  • Partly for the sake of features that may exist in the future, like OCSP stapling management (which is under development), or automatically renewing revoked certificates.

It’s not that expensive for Certbot to run, examine all your certificates, see that none of them need to be renewed, and exit.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.