How can I tell if cron job for certbot is running?

Help
1

My domain is: geoapi.pt, and other subdomains at *.geoapi.pt

My web server is: nginx/1.26.2

The operating system my web server runs on is : Ubuntu 24.04.1 LTS

The version of my client is: certbot 3.0.1

I thought everything was working fine, though the certificates expired and I had to create new ones (yes, I ignored the emails, because I thought they were referring to older versions from a different server, since I moved server).

Everything is working fine now, but I just want to be sure the cron job is working fine

I ran sudo certbot renew --dry-run and everything seems to be working just fine:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/contabo2.joaopimentel.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for contabo2.joaopimentel.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/geoapi.pt.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for geoapi.pt and 4 more domains

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/contabo2.joaopimentel.com/fullchain.pem (success)
  /etc/letsencrypt/live/geoapi.pt/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How can I tell if cron job for certbot (renew) is running?

I can't find anything in /etc/cron.*/*

sudo find /etc/cron.* -name cert*
2

It depends on how you installed Certbot, but looking at your OS and most recent version of Certbot, it's probably using snap. Snap uses systemd timers to run Certbot periodically (twice a day at randomised times).

You can check the /var/log/letsencrypt/ directory for logs. I think it even writes to the log there if it doesn't need to renew any certificate.

3

Yes, it was installed via snap

systemctl list-timers --all | grep cert
Tue 2024-12-03 08:47:00 CET            14h Mon 2024-12-02 16:44:54 CET  1h 14min ago snap.certbot.renew.timer       snap.certbot.renew.service

Logs are a bit messy to read, but I'll take a look, thanks

4

A simple solution I used was to grep the word renew

$ sudo grep renew /var/log/letsencrypt/letsencrypt.log
2024-12-03 12:58:03,599:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal']
2024-12-03 12:58:03,638:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/contabo2.joaopimentel.com.conf
2024-12-03 12:58:03,704:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-12-03 12:58:03,706:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/geoapi.pt.conf
2024-12-03 12:58:03,747:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-12-03 12:58:03,748:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2024-12-03 12:58:03,748:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-12-03 12:58:03,748:DEBUG:certbot._internal.renewal:no renewal failures