FIXED: Crontab renewal with docker container

We run cerbot in docker form (on Centos8) to create and then renew certificates perfectly happily, it works.

However, I cannot persuade it to renew as a cron job: 10 seconds after it has been executed as a cron job dockerd says that "the container didn't exit within 10 seconds of signal 15" and it is terminating it. I must have something wrong in my cron job line, I guess that somehow cron is not waiting for the docker container to do its stuff: can anyone tell me what I need to do to fix it?

Here are the contents of /etc/crontab:

0 0,12 * * * root sleep 2487 && docker run -it --rm --name certbot --env AWS_CONFIG_FILE=/etc/aws/config -v /etc/aws:/etc/aws -v /etc/letsencrypt:/etc/letsencrypt -v /var/lib/letsencrypt:/var/lib/letsencrypt certbot/dns-route53 renew

...here's what journalctl says happens every 12 hours:

Jan 02 00:00:01 CROND[903846]: (root) CMD (sleep 2487 && docker run -it --rm --name certbot --env AWS_CONFIG_FILE=/etc/aws/config -v /etc/aws:/etc/aws -v /etc/letsencrypt:/etc/letsencrypt -v /var/lib/letsencrypt:/var/lib/letsencrypt certbot/dns-route53 renew)
Jan 02 00:00:10 dockerd[1639]: time="2024-01-02T00:00:10.383542421Z" level=info msg="Container failed to exit within 10s of signal 15 - using the force" container=8f2b44b166aec474077fc16e390cb934114c13baf789a6fdd82ac2c40d26fdd2

...and, just to prove that it works from the command-line, here is the output of a dry-run:

$ sudo docker run -it --rm --name certbot --env AWS_CONFIG_FILE=/etc/aws/config -v /etc/aws:/etc/aws -v /etc/letsencrypt:/etc/letsencrypt -v /var/lib/letsencrypt:/var/lib/letsencrypt certbot/dns-route53 --dry-run renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xxxxxx.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for xxxxxx.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/xxxxxx.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ah, S'OK, think I realised what it is: the -it will make no sense to cron as it is not interactive, there is no TTY. Remove the -it and the logged output from cron now shows sensible stuff.

I had to be sure the cron job had the PATH set correctly also.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.