Friendlier renewal interval for cron jobs


#1

I’d like to have a friendlier time interval for certificate expiration and renewal.

Currently, it’s set at 90 days. 90 days doesn’t divide evenly into anything, so I can’t just set up 4 individual renewal points during the year – I’d be 5 days off if I did that. I can’t set it up every three months, because, obviously, that’s more than 90 days.

I tried setting it up as a cron job that runs once every two months, and I was rewarded with this:

The following certs are not due for renewal yet:
/etc/letsencrypt/live/carlson.workingcode.com/fullchain.pem (skipped)
No renewals were attempted.

Could we have a slightly cron-friendlier timeout interval? I know I can set up a daily job that updates a counter or uses a timestamp calculation to determine when to try renewing, but it’d really be nice if this were simpler.


#2

I’m not sure I follow. I assume you are using the official client - certbot. If so then the cron is simply running

certbot renew

This will automatically checking what certs are due for renewal ( or within 30 days of their expiry date) and only attempting to renew those that are.

It can safely be run every day - and if any of your certs need renewal, it will renew them. If none are due for renewal, it will just do nothing.


#3

No clue what “certbot” might be. It doesn’t seem to come with the software:

find . -name certbot -print

Given the other defects I’ve had to work around, I’m not sure I’d trust such a thing.

Here’s the script I’m using:

cd /root/letsencrypt || exit

print "Stopping httpd"
systemctl stop apache2
./letsencrypt-auto renew || exit

Let’s Encrypt leaves this weirdly unprotected.

chmod 600 /etc/letsencrypt/live/carlson.workingcode.com/privkey.pem

print "Restarting httpd, sendmail, and dovecot"
systemctl start apache2
systemctl restart sendmail
systemctl restart dovecot


#4

certbot - https://certbot.eff.org/ is the official client.

It looks as if you have “letsencrypt” which is the old name for the same client, although probably not the latest version.

How did you generate your certificates ? I’m guessing ( since you have a stop and restart apache ) that you obtained the certs in standalone mode. It may be worth updating that, so you use your existing apache, that way there is zero downtime when renewing.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.