Is auto-renew working correctly?

Hello,

Regarding previous post that closed automatically => Is auto-renew working correctly?

@schoen about your reply bellow on thread

I would suggest using your OS-packaged version if you don’t have a specific reason not to. It probably already has automated renewals set up using a systemd timer.

Can you explain how can I do this because I really did not understand what you mean.

Thanks!

1 Like

Hi @bella20,

There are various ways that people choose to install Certbot. The one you used, following a tutorial, is called certbot-auto. Another way is using your operating system’s official software repository. I was suggesting that the second method is usually preferable, and usually also automatically sets up a task to perform automated renewals using Certbot.

If you look at

you can see some of our official instructions for installing Certbot using your operating system’s official software management mechanism, if that’s possible on your system. In this case, an autorenewal task will also be created for you and you won’t have to do anything of that nature yourself.

1 Like

I should also mention that typically, if you switch Certbot installation methods, you don’t have to delete or recreate your certificates, because versions of Certbot that were installed at different times and in different ways can still usually read, recognize, and renew the certificates that were created by other versions of Certbot. You might receive a version mismatch warning about renewing with an older Certbot version, but unless something visibly goes wrong with the renewal, it should be OK.

1 Like

I tried this website but, does not tell me anything, is there any tutorial to follow up to setup autorenew correctly on my case? Because right now wont renew certificate because of sudo command, is that correct?

If you use the operating-system provided one, it will already be set up for you.

If you want to continue using certbot-auto, the issue that we were discussing in the old thread is that you can’t use your own (user) crontab to create the automated renewal task, because your user doesn’t have enough permissions to perform the renewal, and sudo probably won’t work in an automated non-interactive task.

Instead, you could add the task in root’s crontab, editing with sudo crontab -e instead of crontab -e, and then omitting the sudo command from the renewal task that you create in the crontab file.

Ok then what is path of contrab root file and what command I add to this file if I may ask? so, this works automatically

Sorry for been such a pain but, this is new for me.

As a slight adaptation of the command from the other thread, you could use

42 2 * * * /usr/sbin/certbot-auto -q renew

You can put this in root’s crontab file by using sudo crontab -e (not crontab -e). That is, the sudo goes with the crontab-editing command, not with the command that goes into the crontab file.

When doing

sudo crontab -e

I have the following on file

Is this correct or I remove that last line and add your command line instead?

Just check that /usr/sbin/certbot-auto is right, and then yes, I would replace that command with mine. That one has numerous problems and limitations.

I check /usr/sbin/certbot-auto like you asked by doing command “cat /usr/sbin/certbot-auto | more” and it display text file bellow:

Which seems to be fine to me since file exists, is that correct?

And also I replace command line with yours as you asked.

Yes, that seems right, in that case.

Ok perfect.

So, do I need to do anything else?

Thanks again for the help!

I think this is right. Do you know when your existing certificate expires? You can check 30 days before that to see if Certbot has successfully autorenewed it.

Hello, I am not so, sure is working because this is information of certificate expiration:

Validity

Not Before: 1/14/2020, 5:46:43 PM (Central European Standard Time)

Not After: 4/13/2020, 6:46:43 PM (Central European Standard Time)

So, if I am not mistaken it should had renew certificate 2 days ago correct?

32 days ago, not 2.

your cron is set up to run every first day of any even numbered month. February 1st, then April 1st.

you need to do two thigs: remove --renew-by-default and set the cron so it runs at least once per week (once or twice per day would be better) – have you replaced it?

So, it will renew the 1st of April or in 2 days (30 days before)?

what does your cron say right now?

if it’s your original one, it will run on April 1st no matter what. But this is dangerous. If renewal fails – your machine is off, there are connectivity issues on either end… – on April 1st the next automatic attempt would be on June 1st. That’s why you should run the cron once per day and let certbot decide if it’s time to renew.

if you replaced it as per @schoen’s suggestion, it will run every night and only renew 30 days before expiration. But this doesn’t seem the case, as it would have renewed the cert last night, and it didn’t.

I think it renew correctly look at it now:

Validity
Not Before 3/15/2020, 1:47:40 AM (Central European Standard Time)
Not After 6/13/2020, 2:47:40 AM (Central European Standard Time)

It seems to be working correctly right?

Thanks!

Well… it is a valid certificate.

I have no way of knowing what renewed it.

What command I should do to show you what it renew?