How to fix auto renewal so it uses certbot-auto?

Bob_Swede · December 28, 2019, 10:27am

My domain is: home.boberglund.com
My web server is (include version): Apache/2.4.41
The operating system my web server runs on is (include version):Ubuntu 18.04.3 LTS
I can login to a root shell on my machine: yes of course…
The version of my client is: certbot 0.31.0 certbot-auto 1.0.0

I have my system set up using certbot-auto and manual renew (dry-run) works OK.
However the installed script for renewal in /etc/cron.d/certbot uses certbot calls and the conf file used has a later revision so it does not match certbot (it was created by certbot-auto). So there are warnings in the renewal logfile about a version mismatch:

2019-12-28 05:24:12,218:INFO:certbot.storage:Attempting to parse the version 1.0.0 renewal configuration file found at /etc/letsencrypt/renewal/home.boberglund.com.conf with version 0.31.0 of Certbot. This might not work.

The cron job is setup in /etc/cron.d/certbot, which contains this (comments removed):

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

How do I change this so certbot-auto is used instead (or how do I get a later version of certbot that matches the script)?

I have posted the same question in my earlier thread but there has been no responses so I figured I should create a new unique thread for this instead…

Osiris · December 28, 2019, 12:34pm

Just change the /usr/bin/certbot and certbot references in your cronjob to the exact (absolute) path of your certbot-auto script?

mnordhoff · December 28, 2019, 1:01pm

The cron job isn't used on Ubuntu.

You can use "sudo systemctl edit certbot.service" or something like that to edit the systemd timer.

(Note that, unlike cron jobs, ExecStart in timers always takes an absolute path.)

Bob_Swede · December 28, 2019, 2:10pm

Yesterday I had created a sudo cron jopb myself like this:

# This command will renew the ssl certificates used by svn.boberglund.com and video.boberglund.com
15 3 * * * /usr/local/bin/certbot-auto renew

When I looked at the logfile this morning I found entries from my cron execution at 3:15 as it should but also the logs from the extraneous job that was entered by the installer back in August...
This is the log from my own sudo cron job:

2019-12-28 03:15:03,508:DEBUG:certbot._internal.log:Root logging level set at 20
2019-12-28 03:15:03,508:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-12-28 03:15:03,563:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli._Default object at 0x7ff17aa66890> and installer <certbot._internal.cli._Default object at 0x7ff17aa66890>
2019-12-28 03:15:03,615:INFO:certbot._internal.renewal:Cert not yet due for renewal
2019-12-28 03:15:03,616:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2019-12-28 03:15:03,616:DEBUG:certbot._internal.renewal:no renewal failures

And it is followed by logging from the unwanted renewal job:

2019-12-28 05:24:12,196:DEBUG:certbot.main:certbot version: 0.31.0
2019-12-28 05:24:12,198:DEBUG:certbot.main:Arguments: ['-q']
2019-12-28 05:24:12,199:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-12-28 05:24:12,214:DEBUG:certbot.log:Root logging level set at 30
2019-12-28 05:24:12,216:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-12-28 05:24:12,218:INFO:certbot.storage:Attempting to parse the version 1.0.0 renewal configuration file found at /etc/letsencrypt/renewal/home.boberglund.com.conf with version 0.31.0 of Certbot. This might not work.
2019-12-28 05:24:12,228:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f8290520ac8> and installer <certbot.cli._Default object at 0x7f8290520ac8>
2019-12-28 05:24:12,263:INFO:certbot.renewal:Cert not yet due for renewal
2019-12-28 05:24:12,264:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-12-28 05:24:12,264:DEBUG:certbot.renewal:no renewal failures

It seems like the unwanted execution happens very often too with something like 7 hours interval, which seems unnecessary given that the interval between actual renewals is 60 days!
How can I get rid of the installed job and only keep my own sudo cron job?
Editing the job is not something I can do because I don't really understand the code in that script....

Bob_Swede · December 28, 2019, 7:39pm

I used the command below to see the certbot timer since I was told that on machines with systemd (like Ubuntu) the cron setting is not used…
It resulted in this almost incomprehensible output:

$ sudo systemctl show certbot.timer
Unit=certbot.service
NextElapseUSecRealtime=Sun 2019-12-29 02:02:22 CET
NextElapseUSecMonotonic=0
LastTriggerUSec=Sat 2019-12-28 19:41:41 CET
LastTriggerUSecMonotonic=3w 6h 29min 52.366125s
Result=success
AccuracyUSec=1min
RandomizedDelayUSec=12h
Persistent=yes
WakeSystem=no
RemainAfterElapse=yes
Id=certbot.timer
Names=certbot.timer
Requires=sysinit.target -.mount
WantedBy=timers.target
Conflicts=shutdown.target
Before=timers.target certbot.service shutdown.target
After=time-sync.target -.mount sysinit.target
Triggers=certbot.service
RequiresMountsFor=/var/lib/systemd/timers
Description=Run certbot twice daily
LoadState=loaded
ActiveState=active
SubState=waiting
FragmentPath=/lib/systemd/system/certbot.timer
UnitFileState=enabled
UnitFilePreset=enabled
StateChangeTimestamp=Sat 2019-12-28 19:41:49 CET
StateChangeTimestampMonotonic=1837800267414
InactiveExitTimestamp=Sat 2019-12-07 13:12:11 CET
InactiveExitTimestampMonotonic=22723336
ActiveEnterTimestamp=Sat 2019-12-07 13:12:11 CET
ActiveEnterTimestampMonotonic=22723336
ActiveExitTimestampMonotonic=0
InactiveEnterTimestampMonotonic=0
CanStart=yes
CanStop=yes
CanReload=no
CanIsolate=no
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Sat 2019-12-07 13:12:11 CET
ConditionTimestampMonotonic=22723287
AssertTimestamp=Sat 2019-12-07 13:12:11 CET
AssertTimestampMonotonic=22723287
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
InvocationID=824d304e75b54c78847f3ddd90e18ce1
CollectMode=inactive

Please tell me how to get rid of this “timer” and associated “service” so I can use my simple to understand cron job (for sudo).
I do not want to have something running with the wrong certbot version and in a way that I cannot understand either.

EDIT:
I have now found where the certbot.timer and certbot.service files reside.
They are in /lib/systemd/system/ as
certbot.timer and certbot.service respectively.
Content is:

certbot.timer:
--------------------------------------------
[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target
--------------------------------------------
certbot.service:
---------------------------------------------
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

QUESTION:
Can I edit these 2 files to change the invocation by setting

Description=Run certbot-auto once daily
OnCalendar=*-*-* 12:00:00

and
ExecStart=/usr/local/bin/certbot-auto -q renew

Do I have to restart something to notify systemd on the changed schedule (to once a day)?

ANSWER:
It seems to be OK just editing based on the following in the log file:

2019-12-29 00:46:30,236:DEBUG:certbot._internal.main:certbot version: 1.0.0
2019-12-29 00:46:30,237:DEBUG:certbot._internal.main:Arguments: []
2019-12-29 00:46:30,237:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-12-29 00:46:30,256:DEBUG:certbot._internal.log:Root logging level set at 20
2019-12-29 00:46:30,257:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-12-29 00:46:30,312:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli._Default object at 0x7fb4b0ef3890> and installer <certbot._internal.cli._Default object at 0x7fb4b0ef3890>
2019-12-29 00:46:30,364:INFO:certbot._internal.renewal:Cert not yet due for renewal
2019-12-29 00:46:30,365:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2019-12-29 00:46:30,365:DEBUG:certbot._internal.renewal:no renewal failures

Notice that the first log line for this time shows certbot version 1.0.0 indicating that certbot-auto is in fact used.

Case closed - at least until 2020-02-24 when the cert is 30 days from expiration…

system · January 27, 2020, 7:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.