How can I change the certbot renewal frequency when using systemd timers

Help
1

I have the latest version of certbot installed (snap package).
As per design it automatically created the systemd timer that runs every 12 hours, I see this in the associated .service and .timer files:
snap.certbot.renew.service
snap.certbot.renew.timer

In the snap.certbot.renew.service it sets the certbot timer to run twice a day. You can see that in the "ExecStart" statement.

[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=snap-certbot-3024.mount
Wants=network.target
After=snap-certbot-3024.mount network.target snapd.apparmor.service
X-Snappy=yes

[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/3024
TimeoutStopSec=30
Type=oneshot

So I want to change this to have --timer="00:00~24:00/1" instead of /2 so it only runs one per day instead of 2.
But as soon as I restart, the service file gets automatically regenerated again with /2.

Where is this getting autogenerated from? How can I change this to run once per day and have it persist the change?

2

Why?
It should only check to see if a renewal is needed - and do nothing for 60 days.

3 Likes
3

@_az Is this behavior possibly an unintended consequence of the snap packaging method (where this file is symlinked into the snap image or something)?

3 Likes
4

The systemd units created by snapd are mutable, but you should not modify them directly because any changes will be reverted during snap refreshes..

What you can do is (which I have previously described here):

systemctl edit snap.certbot.renew.timer

This will give you an empty override file. You can then make the contents:

[Timer]
OnCalendar=
OnCalendar=*-*-* 17:04

(or whatever random time of day you'd like Certbot to run).

I don't think there's any point modifying snap.certbot.renew.service, because the --timer flag to snap run just acts like a filter. In this case, any time of day is suitable. I'm not super sure why this flag even exists, but the .timer unit is the actual initiator that you need to pay attention to.

7 Likes
5

Please note that if and when the ARI (ACME Renewal Information) extension becomes implemented, it's probably going to be recommended to run your ACME client even MORE frequent than just the 2 times a day currently!

5 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.