Is auto-renew working correctly?

Hello,

I have installed Lets Encrypt following this tutorial

And it seems to be working all correctly it passed correctly test on https://www.ssllabs.com/ssltest/index.html but, my concern is on step 6 when setting up server crontab to auto-renew SSL certificate if it so, it automatically renews certificate and to be sure that I installed lets encrypt correctly.

I had just tried this command => sudo certbot renew --dry-run

and got the following output

user@user:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mydomain.com.conf


Attempting to parse the version 1.0.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com.conf with version 0.31.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.com
http-01 challenge for www.mydomain.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/mydomain.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
1 Like

Seems to work to me?

2 Likes

ok and adding this rule bellow in contrab should renew it automatically a month before expiration, correct?

0 2 * * * sudo /usr/sbin/certbot-auto -q renew

If your user account requires a password in order to sudo, putting sudo in a crontab command will probably not work because the automated scheduler won’t be able to supply the correct password. The renewal task should instead be placed in a crontab file where commands are already run with the necessary privileges, such as the root user’s crontab—or you can use the automated scheduling that likely already came with your Certbot package because since you’re using certbot rather than certbot-auto it looks like you’ve probably installed Certbot with a package manager, which normally sets up automated renewal for you automatically.

1 Like

But the cronjob command does use certbot-auto, although in a non-standard directory?

3 Likes

Oh, good catch!

@bella20, the message

Attempting to parse the version 1.0.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com.conf with version 0.31.0 of Certbot. This might not work.

shows that you have two different versions of Certbot—one of them as part of your operating system installed via a package manager (perhaps with apt), and the other one that you downloaded with certbot-auto following the tutorial's instructions.

Only one of the two should be necessary, and the operating system version one, at least, probably already has an autorenewal mechanism set up.

Despite the warning about incompatible versions, I don't think there's anything in particular that will be a problem in practice between 0.31.0 and 1.0.0 Certbot renewal configuration files.

2 Likes

Ok so, what do I should do? What you recommend?

I would suggest using your OS-packaged version if you don’t have a specific reason not to. It probably already has automated renewals set up using a systemd timer.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.