Crontab auto-renew certificate failed


#1

Hello everyone,

my certificate is not yet due for renewal, however just for testing purposes I set up a cron job so that my SSL certificate shall be renewed every 1st of the month at 0:01 system time.
However when I check the certificate in my web browser today it is still the old one (approximately 3 weeks old).
Is there an error in my crontab syntax?

crontab -l

01 0 1 * * /home/pi/letsencrypt/letsencrypt-auto --renew certonly -d replaced.domain.name && sudo /etc/init.d/apache2 reload


#2

There are a couple of errors there.

if you’d provided your domain name I could have done extra checks. Without though I can only guess at some things.

The problem of your website showing the wrong cert could be in a couple of places usually.

  1. You haven’t obtained a new cert.
  2. You have obtained a new cert, but are not using it.

You can check the cert, to see if it’s been renewed, either on your server or via the cert transparency report ( try https://www.google.com/transparencyreport/https/ct/?hl=en ) to see when the most recent one was obtained.

That will tell you if the error is with 1. or 2. in your case.

The crontab you have should run once per month ( personally I run it daily). You should only need “/letsencrypt-auto --renew” to check and renew all certs that are required. I’d also use one of the --hook options to reload apache if needed ratehr than every time the cron is run.

What version of letsencrypt are you running ? You may want to update to the latests ( now named certbot). You also don’t say if you are running this as a user or root (i.e. if you have the relevant permissions ) since the command looks to be a user ( /home/pi … ) yet reloading apache would typically not be an option for a user.


#3

Hello again,

finally I had some time to do more reading on this and ultimately remembered, that I posted a topic here.
I tried out another script and it worked perfectly. In my case I had to stop apache2 before running letsencrypt-auto, because if I would not have stopped apache2, the relevant ports would have been blocked by apache2 and renewal of the certificate failed.

I now have this cronjob running (new cert on every monday), in case anybody finds this topic interesting on his/her own issue:

crontab -l

00 4 * * 1 sudo service apache2 stop && /home/pi/letsencrypt/letsencrypt-auto renew --force-renew && sudo service apache2 start

I am now marking this topic as solved. Anyways, thanks for your reply!


#4

You might be better looking at the “hooks” that are available and use

certbot renew --pre-hook “service apache2 stop” --post-hook “service apache2 start”

You could run this every day, and it would only stop apache, renew the cert, and restart apache when it was needed. Your approach forces a stop of apache and generates a new cert every week.


#5

A post was split to a new topic: Renew without stopping apache


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.