How to automate renewal on Debian Buster

Hi Support!
I’m using Debian 10 Buster with Certbot 0.31.0-1,
Actually on “/etc/cron.d/certbot” I’ve:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

and requesting a new certificate domain I have run:

certbot certonly --cert-name server3.example.org --webroot -w /var/www/letsencrypt --email master@example.org --expand -d server3.example.org -d www.server3.example.org -d example.john.eu -d www.example.john.eu -d example.doe.org -d www.example.doe.org

I would understand better if I should modify (or not) the “native” certbot “/etc/cron.d/certbot” to make sure that the renewal process become automatic or if I must create a new one cron task.

Many thanks!

Davide

1 Like

You should leave things as they are. There’s a systemd timer handling things, check with systemctl list-timers

1 Like

Well, on “/etc/systemd/system/timers.target.wants/certbot.timer” I’ve:

 [Unit]
 Description=Run certbot twice daily

 [Timer]
 OnCalendar=*-*-* 00,12:00:00
 RandomizedDelaySec=43200
 Persistent=true

 [Install]
 WantedBy=timers.target

I read that letsencrypt certificates renews at least one month before the data expiration.
In my situation, my certificates expire May 7, 2020, is there something wrong maybe?
How to verify?

Many thanks again!

Davide

1 Like

You need to check that the timer is actually active.

Or just run systemctl enable --now certbot.timer

1 Like

Hi 9peppe, and thanks for your help!

I’ve checked if active:

systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
   Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
   Active: active (waiting) since Wed 2020-01-22 18:05:05 CET; 2 months 28 days ago
  Trigger: Tue 2020-04-21 18:05:58 CEST; 4h 1min left

Then execute anyway " systemctl enable --now certbot.timer" and check again:

systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
   Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
   Active: active (waiting) since Wed 2020-01-22 18:05:05 CET; 2 months 28 days ago
  Trigger: Tue 2020-04-21 22:41:53 CEST; 8h left

The only difference now is the Trigger time…

It was enabled already. What does certbot certificates say?

Certificate Name: server3.example.org
Domains: server3.example.org example.doe.eu example.john.org www.server3.example.org www.example.doe.eu www.example.john.org
Expiry Date: 2020-05-07 08:46:48+00:00 (VALID: 15 days)
Certificate Path: /etc/letsencrypt/live/server3.example.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/server3.example.org/privkey.pem

Automation is not your problem. What happens if you run certbot renew (with no options)?

Obtain this error:

Attempting to renew cert (server3.example.org) from /etc/letsencrypt/renewal/server3.example.org.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for server3.example.org:
Choices: [‘Enter a new webroot’, ‘/var/www/letsencrypt’]

(You can set this with the --webroot-path flag). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/server3.example.org/fullchain.pem (failure)

On my virtualhost so I’ve set the webroot-path:

...
Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>

And running certbot:

certbot certonly --cert-name server3.example.org --webroot -w /var/www/letsencrypt --email master@example.org --expand -d server3.example.org -d www.server3.example.org -d example.john.eu -d www.example.john.eu -d example.doe.org -d www.example.doe.org

You are randomly copypasting stuff off the internet. Stop doing that.

Run certbot renew --cert-name "your_cert_name" --webroot -w /var/www/letsencrypt --deploy-hook "some command"

where your_cert_name you’ll get from certbot certificates or from ls /etc/letsencrypt/live and some command is the command that will reload the services that rely on your certificate.

And if you’re only using apache, you should remove all that stuff and just use certbot renew --cert-name "your_cert_name" --apache

1 Like

Well, thanks for your very exhaustive explanation!
I’ve done exactly as you suggest here, now I will pay attention to the next renewal, if it will be successful :wink:

Thanks again!

Davide

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.