How to correctly add auto-renewal (Debian 9 (Stretch))

I would like to create automatic renwal for my domains, because i Have had some bad luck in the past without looking into it I have made some mistakes that cost me dearly.
I would like to know if there is a tutorial or something similar to recommend me so i don’t mess everything up. Thank you.

My domain is:

My web server is (include version):
Distributor ID: Debian
Description: Debian GNU/Linux 9.9 (stretch)
Release: 9.9
Codename: stretch

The operating system my web server runs on is (include version):
Apache/2.4.25 (Debian)

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No, I use terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.40.1 (cannot find where is located)

which certbot
find / -name certbot

Please show:
systemctl status certbot
systemctl list-timers certbot.timer

which certbot
find / -name certbot


systemctl status certbot
systemctl list-timers certbot.timer

systemctl status certbot
Unit certbot.service could not be found.

systemctl list-timers certbot.timer
0 timers listed.
Pass --all to see loaded but inactive timers, too.

Please show:
find / -name certbot*
systemctl list-timers

#use your actual root username:
crontab -u root -l

EDIT: be sure to be logged as root user or use sudo for these commands

find / -name certbot*

/opt/letsencrypt/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/ multiple_vhosts/apache2/sites-available/certbot.conf
/opt/letsencrypt/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/ multiple_vhosts/apache2/sites-enabled/certbot.conf
/opt/ info
/opt/ -info
/opt/ ata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/certbot.conf
/opt/ ata/debian_apache_2_4/multiple_vhosts/apache2/sites-enabled/certbot.conf

systemctl list-timers
Thu 2019-11-07 11:39:00 UTC 5min left Thu 2019-11-07 11:09:02 UTC 24min ago phpsessionclean.timer phpsessionclean.service
Thu 2019-11-07 14:47:11 UTC 3h 13min left Wed 2019-11-06 14:47:11 UTC 20h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Thu 2019-11-07 17:18:39 UTC 5h 45min left Thu 2019-11-07 05:44:48 UTC 5h 48min ago apt-daily.timer apt-daily.service
Fri 2019-11-08 06:11:31 UTC 18h left Thu 2019-11-07 06:04:35 UTC 5h 28min ago apt-daily-upgrade.timer apt-daily-upgrade.service

4 timers listed.
Pass --all to see loaded but inactive timers, too.

sudo crontab -u root -l

no crontab for root

OK, so your running certbot-auto
But there was not timer automatically created for renewals…
[that should have been done for you]

OK, the simplest is to use cron
What command are you currently using to renew?

I still havent needed to renew, the websites are younger than 90 days and just wanted to prepare ahead of time and set up automatic renewal and not mess anything up along the way,

Here is a starting point for your cron renewal entry:

41 */12 * * * /usr/local/sbin/certbot-auto --apache -q --deploy-hook '/etc/init.d/apache2 restart'

Test that with:
/usr/local/sbin/certbot-auto --apache --deploy-hook '/etc/init.d/apache2 restart'

I just copy all of this into terminal and run ?

From cron job NO
That requires using an editor (via crontab -e)

Start with the TEST command first - see if that “works”.
Try from terminal prompt:

sudo /usr/local/sbin/certbot-auto --apache --deploy-hook '/etc/init.d/apache2 restart'

I copy this command exactly like this and run it as sudo su ?


sudo /usr/local/sbin/certbot-auto --apache --deploy-hook ’ /etc/init.d/apache2 restart’
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): An unexpected error occ urred:
error: (4, ‘Interrupted system call’)
Please see the logfiles in /var/log/letsencrypt for more details.

So you don’t yet have a certificate?
Enter “c” and cancel that.

certbot-auto certificates

certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Expiry Date: 2019-12-10 10:18:04+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2019-12-10 10:52:58+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2019-12-12 10:45:26+00:00 (VALID: 34 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2019-12-12 10:34:56+00:00 (VALID: 34 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

EDIT: The other domains listed here were also listed up there but I deleted them because I thought they were not relevant, but they are apparently so they were on the list up there also.

You have certs, but certbot-auto doesn’t know where/how they are being used…

Please show:
ls -l /etc/letsencrypt/renewal/

ls -l /etc/letsencrypt/renewal/
total 16
-rw-r–r-- 1 root root 499 Sep 11 11:18
-rw-r–r-- 1 root root 549 Sep 11 11:53
-rw-r–r-- 1 root root 509 Sep 13 11:45
-rw-r–r-- 1 root root 529 Sep 13 11:34

Please show:
[don’t show account numbers]

cat /etc/letsencrypt/renewal/

cat /etc/letsencrypt/renewal/

renew_before_expiry = 30 days

version = 0.38.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

authenticator = apache
installer = apache
account =
server =