How to automate renewal on Debian Buster

danjde · April 20, 2020, 4:03pm

Hi Support!
I’m using Debian 10 Buster with Certbot 0.31.0-1,
Actually on “/etc/cron.d/certbot” I’ve:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

and requesting a new certificate domain I have run:

certbot certonly --cert-name server3.example.org --webroot -w /var/www/letsencrypt --email master@example.org --expand -d server3.example.org -d www.server3.example.org -d example.john.eu -d www.example.john.eu -d example.doe.org -d www.example.doe.org

I would understand better if I should modify (or not) the “native” certbot “/etc/cron.d/certbot” to make sure that the renewal process become automatic or if I must create a new one cron task.

Many thanks!

Davide

9peppe · April 20, 2020, 4:06pm

You should leave things as they are. There's a systemd timer handling things, check with systemctl list-timers

danjde · April 20, 2020, 4:26pm

Well, on “/etc/systemd/system/timers.target.wants/certbot.timer” I’ve:

 [Unit]
 Description=Run certbot twice daily

 [Timer]
 OnCalendar=*-*-* 00,12:00:00
 RandomizedDelaySec=43200
 Persistent=true

 [Install]
 WantedBy=timers.target

I read that letsencrypt certificates renews at least one month before the data expiration.
In my situation, my certificates expire May 7, 2020, is there something wrong maybe?
How to verify?

Many thanks again!

Davide

9peppe · April 20, 2020, 7:08pm

You need to check that the timer is actually active.

Or just run systemctl enable --now certbot.timer

danjde · April 21, 2020, 12:10pm

Hi 9peppe, and thanks for your help!

I’ve checked if active:

systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
   Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
   Active: active (waiting) since Wed 2020-01-22 18:05:05 CET; 2 months 28 days ago
  Trigger: Tue 2020-04-21 18:05:58 CEST; 4h 1min left

Then execute anyway " systemctl enable --now certbot.timer" and check again:

systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
   Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
   Active: active (waiting) since Wed 2020-01-22 18:05:05 CET; 2 months 28 days ago
  Trigger: Tue 2020-04-21 22:41:53 CEST; 8h left

The only difference now is the Trigger time…

9peppe · April 21, 2020, 12:12pm

It was enabled already. What does certbot certificates say?

danjde · April 21, 2020, 12:14pm

Certificate Name: server3.example.org
Domains: server3.example.org example.doe.eu example.john.org www.server3.example.org www.example.doe.eu www.example.john.org
Expiry Date: 2020-05-07 08:46:48+00:00 (VALID: 15 days)
Certificate Path: /etc/letsencrypt/live/server3.example.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/server3.example.org/privkey.pem

9peppe · April 21, 2020, 12:15pm

Automation is not your problem. What happens if you run certbot renew (with no options)?

danjde · April 21, 2020, 12:48pm

Obtain this error:

Attempting to renew cert (server3.example.org) from /etc/letsencrypt/renewal/server3.example.org.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for server3.example.org:
Choices: ['Enter a new webroot', '/var/www/letsencrypt']

(You can set this with the --webroot-path flag). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/server3.example.org/fullchain.pem (failure)

On my virtualhost so I've set the webroot-path:

...
Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>

And running certbot:

certbot certonly --cert-name server3.example.org --webroot -w /var/www/letsencrypt --email master@example.org --expand -d server3.example.org -d www.server3.example.org -d example.john.eu -d www.example.john.eu -d example.doe.org -d www.example.doe.org

9peppe · April 21, 2020, 1:02pm

You are randomly copypasting stuff off the internet. Stop doing that.

Run certbot renew --cert-name "your_cert_name" --webroot -w /var/www/letsencrypt --deploy-hook "some command"

where your_cert_name you’ll get from certbot certificates or from ls /etc/letsencrypt/live and some command is the command that will reload the services that rely on your certificate.

And if you’re only using apache, you should remove all that stuff and just use certbot renew --cert-name "your_cert_name" --apache

danjde · April 21, 2020, 1:22pm

Well, thanks for your very exhaustive explanation!
I’ve done exactly as you suggest here, now I will pay attention to the next renewal, if it will be successful

Thanks again!

Davide

system · May 21, 2020, 1:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot doesn't seem to autorenew on my Debian 9.8 installation Help	20	2194	March 27, 2019
Auto renew: configuration help needed please Help	9	2231	December 12, 2019
Renew cert manually Help	9	7762	December 24, 2021
Auto-renew certbot certificate with plug dns-route53 Help	14	1556	January 18, 2024
Cerbot cron job? Help	8	34897	January 10, 2017

How to automate renewal on Debian Buster

Related topics