How to correctly add auto-renewal (Debian 9 (Stretch))

When run with “-q” it will only “renew”…So they are basically the same.

If you want to go ALL OUT (or ALL IN) use:
renew -n -q

41 */12 * * * /usr/local/sbin/certbot-auto renew -n -q --apache --deploy-hook '/etc/init.d/apache2 restart'
1 Like

Just out of curiosity, does this crone command ecexute every day at every 12 hours on the 41st minute ?

YES
00:41 & 12:41
everyday

1 Like

Thank you a lot again!

1 Like

You can thank me in 2 days when it renews your first cert (automatically) - LOL

Or, better yet, thank LE (for all they do)

1 Like

Yes definitely will donate again and thanks to every one of you working for all of us here, it is really appreciated around the globe. Hope you realize that.

I added the cron job using crontab -e
got this
crontab -e
no crontab for root - using an empty one
GNU nano 2.7.4 File: /tmp/crontab.IynLJ2/crontab Modified

daemon’s notion of time and timezones.

Output of the crontab jobs (including errors) is sent through
email to the user the crontab file belongs to (unless redirected).

For example, you can run a backup of all your user accounts
at 5 a.m every week with:
0 5 * * 1 tar -zcf /var/backups/home.tgz /home/

For more information see the manual pages of crontab(5) and cron(8)

m h dom mon dow command

41 */12 * * * /usr/local/sbin/certbot-auto renew --apache --deploy-hook ‘/etc/init.d/apache2 restart’
^^^^

Added this

1 Like

I hate to bother you again, but I waited for 00:41 just to see if the job will run and if everything will be alright, and the job did not run :confused: Can we check it somehow ?
I used the command crontab -e
it was first time using it so I selected nano editor
I added the following code

41 */12 * * * /usr/local/sbin/certbot-auto renew --apache --deploy-hook '/etc/init.d/apache2 restart'

It created the new cron

crontab: installing new crontab

Also when I run systemctl list-timers -all

NEXT                         LEFT          LAST                         PASSED       UNIT
Fri 2019-11-08 01:09:00 UTC  13min left    Fri 2019-11-08 00:39:01 UTC  16min ago    phpsessionclean.timer
Fri 2019-11-08 06:08:13 UTC  5h 12min left Thu 2019-11-07 21:01:59 UTC  3h 53min ago apt-daily.timer
Fri 2019-11-08 06:11:31 UTC  5h 15min left Thu 2019-11-07 06:04:35 UTC  18h ago      apt-daily-upgrade.timer
Fri 2019-11-08 14:47:11 UTC  13h left      Thu 2019-11-07 14:47:11 UTC  10h ago      systemd-tmpfiles-clean.ti

this is all of them from before, I suspect my cron should have been added ?

Thank you again sorry for bothering.

CRON and SYSTEMD are different things.
They both do the same kinds of things but are not related to each other.

To see if CRON actually ran at 00:41, you would have to check your firewall logs (if you have any) or maybe the LE log file (but that may also be empty since we used the -q parameter)

Please show:
/var/log/letsencrypt/letsencrypt.log

1 Like

Wow you are right.
I opened this file and this is what I saw

2019-11-08 00:41:03,290:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f538e7c3c50>
2019-11-08 00:41:03,291:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no$
2019-11-08 00:41:03,292:DEBUG:certbot.cli:Var authenticator=apache (set by user).
2019-11-08 00:41:03,292:DEBUG:certbot.cli:Var installer=apache (set by user).
2019-11-08 00:41:03,324:INFO:certbot.renewal:Cert not yet due for renewal
2019-11-08 00:41:03,324:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-11-08 00:41:03,329:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f538e7c3350>
2019-11-08 00:41:03,330:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no$
2019-11-08 00:41:03,331:DEBUG:certbot.cli:Var authenticator=apache (set by user).
2019-11-08 00:41:03,331:DEBUG:certbot.cli:Var installer=apache (set by user).
2019-11-08 00:41:03,361:INFO:certbot.renewal:Cert not yet due for renewal
2019-11-08 00:41:03,362:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-11-08 00:41:03,367:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f538e731710>
2019-11-08 00:41:03,368:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no$
2019-11-08 00:41:03,369:DEBUG:certbot.cli:Var authenticator=apache (set by user).
2019-11-08 00:41:03,369:DEBUG:certbot.cli:Var installer=apache (set by user).
2019-11-08 00:41:03,403:INFO:certbot.renewal:Cert not yet due for renewal
2019-11-08 00:41:03,403:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-11-08 00:41:03,409:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f538e72da90>
2019-11-08 00:41:03,409:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no$
2019-11-08 00:41:03,409:DEBUG:certbot.renewal:no renewal failures
1 Like

You’re all set :slight_smile:

1 Like

Your certificate should automatically renew soon…

1 Like

Yes and I ran

ls -l /etc/letsencrypt/renewal/

and got this

total 16
-rw-r--r-- 1 root root 540 Nov 10 12:44 elami.mk.conf
-rw-r--r-- 1 root root 590 Nov 10 12:46 justsayingkiddo.nl.conf
-rw-r--r-- 1 root root 509 Sep 13 11:45 kentivo.de.conf
-rw-r--r-- 1 root root 529 Sep 13 11:34 www.kentivo.de.conf

before it was

total 16
-rw-r–r-- 1 root root 499 Sep 11 11:18 elami.mk.conf
-rw-r–r-- 1 root root 549 Sep 11 11:53 justsayingkiddo.nl.conf
-rw-r–r-- 1 root root 509 Sep 13 11:45 kentivo.de.conf
-rw-r–r-- 1 root root 529 Sep 13 11:34 www.kentivo.de.conf

This means they renewed automatically correct ?

I do see the new cert being served now:

Thank you very much <3

I think it just needed time to update :slight_smile:

Thank you again!

I guess the “restart” took some time…
Maybe system is low on resources.
But if you didn’t restart apache, then it did it all by itself as you wanted :slight_smile:

Yes I didn’t do any restart manually, so it must have done it by itself which is the point :slight_smile:
Thank you very much!

1 Like

I started getting errors when the other domains that we are not using needed to be renewed
-rw-r–r-- 1 root root 509 Sep 13 11:45 kentivo.de.conf
-rw-r–r-- 1 root root 529 Sep 13 11:34 www.kentivo.de.conf

The server was down and we got this

AH00060: seg fault or similar nasty error detected in the parent process
AH00098: pid file /var/run/apache2/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
AH00489: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.2s configured -- resuming normal operations
Command line: '/usr/sbin/apache2' 
AH00491: caught SIGTERM, shutting down
AH00489: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.2s configured -- resuming normal operations
AH00094: Command line: '/usr/sbin/apache2'

From the log /var/log/letsencrypt/letsencrypt.log

I can separate this as important or I can send you the whole log privately there is some sensitive info in there.

Domain: kentivo.de
Type:   unauthorized
Detail: Invalid response from http://kentivo.com/?lang=de [IP ADDRESS]: "<!DOCTYPE html>\n<html lang=\"de-DE\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-sca"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-11-14 12:46:11,399:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

I have removed the cron job until I fix this because it will just keep downing the server.

All help is greatly appreciated !

Thank you

Try using “reload” instead of “restart

But the error causing it to go off rails is the two domains that are trying to update, can I delete those certificates safely ? They are not in use anyway.
Last time I tried deleting certificates my server went to hell and everything was causing an error code and couldn’t restore my server.
I want to do it only if I can do it right and remove those two domains so that there are no more errors caused, As I have just added one new domain with the command
sudo certbot-auto --apache -d example.com -d www.example.com

Now I have this

ls -l /etc/letsencrypt/renewal/
total 20
-rw-r--r-- 1 root root 544 Nov 15 15:30 alpha.kentivo.com.conf
-rw-r--r-- 1 root root 540 Nov 10 12:44 elami.mk.conf
-rw-r--r-- 1 root root 590 Nov 10 12:46 justsayingkiddo.nl.conf
-rw-r--r-- 1 root root 509 Sep 13 11:45 kentivo.de.conf
-rw-r--r-- 1 root root 529 Sep 13 11:34 www.kentivo.de.conf

Yes (be sure their certs are not being used anywhere).
Use:
certbot delete --cert-name example.com