CRON timing for auto renewal

The operating system my web server runs on is (include version):
OSX
I can login to a root shell on my machine (yes or no, or I don’t know):
YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
acme script

Script runs fine and renews (when running under root and executed manually) am very comforatable creating cron jobs, my issue is if i have the script to run everyday is there a limitation for ENQUIRING / renewing the certificate (3 months?) or do i have to have the cron script run more in line with the renewal date 2.5 months from the last only one or so calls per 3 months. I havnt created the cron job however just want to make sure i dont hit any limitation on asking everday “renew me?” Also is this why people use certbot as it has more checks an balances than the basic acme script ?

Contents of acme script below
./acme.sh/acme.sh --issue -d DOMAIN --standalone --httpport 8081
/usr/local/kerio/mailserver/keriomailserver stop
cp ~/.acme.sh/domain.name/domain.name.cer /usr/local/kerio/mailserver/sslcert/server2.crt
cp ~/.acme.sh/domain.name/domain.name.key /usr/local/kerio/mailserver/sslcert/server2.key
/usr/local/kerio/mailserver/keriomailserver start

What you’d really want to do is put the remaining commands (the ones after acme.sh) into a post-renew script. Then issue the cert with acme.sh --issue -d DOMAIN --standalone --httpport 8081 --reloadcmd /path/to/script. Once that issues, set a daily cron job of /path/to/acme.sh --cron.

1 Like

You should also use acme.sh --install to copy the certificate and key files instead of cp.

Daily, at random times of the day.

For example, with something like:

0 */12 * * * perl -e 'sleep int(rand(43200))' && /path/to/acme.sh --cron

Or an equivalent that works on macOS.

1 Like

Thanyou both for insight ! Would the below be correct ?

./acme.sh/acme.sh --issue -d DOMAIN --standalone --httpport 8081 --reloadcmd
/usr/local/kerio/mailserver/keriomailserver stop
–install ~/.acme.sh/domain.name/domain.name.cer /usr/local/kerio/mailserver/sslcert/server2.crt
–install ~/.acme.sh/domain.name/domain.name.key /usr/local/kerio/mailserver/sslcert/server2.key
/usr/local/kerio/mailserver/keriomailserver start

As the server has daily backups i dont want the script to impede on that so a “not so” randomised time 90 minutes after 21:30pm

30 21 * * * bash -c “sleep $[RANDOM%90]m” ; ~/var/root/scripts/acme.sh

After further consideration, the way to go would be
.acme.sh/acme.sh --issue -d DOMAIN --standalone --httpport 8081 --key-file /usr/local/kerio/mailserver/sslcert/server2.key --cert-file /usr/local/kerio/mailserver/sslcert/server2.crt --reloadcmd /usr/local/kerio/mailserver/keriomailserver restart (assuming there’s a “restart” command for keriomailserver, “reload” would be even better). Then your cron job (after whatever delay you implement) would still be what I suggested earlier: acme.sh --cron.

Consider whether you’d need to use --fullchain-file rather than --cert-file; that’s going to depend on the requirements of your server software.

1 Like