It's weird that certonly also gives you a cron job

bkerin · October 6, 2021, 8:26pm

at least it should tell you about this and preferably warn. or even better not do it unless you actually ask. after all you've chosen certonly because you don't want certbot doing things you don't know about to your conf

Osiris · October 6, 2021, 8:31pm

The cronjob is installed by the package from distribution maintainers (or perhaps by the installation of the certbot snap, but that I don't know).

Even if you didn't get any certificate but just installed certbot, you'd have gotten the cronjob.

bkerin · October 6, 2021, 8:39pm

If that's the case it seems wrong that that the last line of /var/log/letsencrypt/letsencrypt.log is:

Certbot has set up a scheduled task to automatically renew this certificate in the background.

Osiris · October 6, 2021, 9:00pm

AFAIK that's a specific feature embedded in certbot. Check out the following lines:

github.com

certbot/certbot/blob/v1.20.0/certbot/certbot/_internal/main.py#L570-L572

    
      
          if config.preconfigured_renewal and not _is_interactive_only_auth(config):
              renewal_msg = ("\nCertbot has set up a scheduled task to automatically renew this "
                             "certificate in the background.")

The variable config.preconfigured_renewal can be set by package maintainers (through the corresponding command line option) to indicate to certbot that a cronjob has been set. Certbot itself doesn't actually do it.

_az · October 6, 2021, 9:22pm

The message was added to address a concern that it was not clear to users whether they needed to do something after issuing a certificate. (And in the non-preconfigured-renewal case, it prompts users to follow some instructions to set up a cron job, in order for their certificate not to expire).

I can see how the wording might imply something worrying (oh no, creating a certificate just added a new cron job to my system). It's not the case; there's just one cron job that was installed the moment you installed Certbot. If there's better wording that's not super long and conveys the intent better, I'm all for it.

certonly --csr is an option if you never want Certbot to do anything automatic.

bkerin · October 6, 2021, 9:28pm

how about "A scheduled task already exists to automatically renew this certificate in the background."

or possibly "A scheduled task already exists (courtesy of the certbot package) to automatically renew this certificate in the background."

Also I think "in the background" is understood here and could probably be omitted

JimPas · October 6, 2021, 9:33pm

Certbot was created to automate renewals as much as possible for the vast majority of people - a set and forget - and thus create a cron job for automatic renewals.

The use of certbot certonly --manualwon't create an automatic renewal cron job. You can add your own pre- and/or post-hooks in the command line.
https://certbot.eff.org/docs/using.html#manual-renewal

For newbies, if "in the background" were omitted, they could end up worrying their certs weren't renewing. They'd be expecting to see a "visual" renewal process happening or at least some type of notification of a successful renewal instead.

bkerin · October 6, 2021, 10:26pm

ok maybe "background" does do more to imply "automatically scheduled". i like certbot btw really slick overall. if you can't assume knowledge of cron. I'd say the log output is already pretty voluminous though and two sentences for this purpose to mention both
effect and mechanism ("will be automatically renewed when necessary without any further action required" and "via cron/systemd") wouldn't be excessive.

after some cp -r diff -u etc I think all the /etc/apache2 edits look safe and reasonable and decided to just use them. I still think it might be nice to offer an easy way to view proposed changes (if --dry-run exists it usually does something like that in my experience). You know just for people who enjoy telling themselves they know what's going on

rg305 · October 7, 2021, 1:16am

Can be misinterpreted as if it just tried and failed to make one because one "already exists".

Osiris · October 7, 2021, 5:12am

I don't think this is good advice, because:

the certbot application never adds a cronjob by calling the certbot application: it's the package (Debian/Ubuntu/snap/whatever_package_manager) that would have installed the cronjob. No option combination for certbot would do that;
--manual isn't necessary to prevent a cronjob, as stated above;
certbot certonly --webroot will automatically add and remove files from the filesystem, but will leave webserver configuration files alone.

JimPas · October 7, 2021, 6:07am

Maybe a poor choice of wording? I probably should have said:
Renewals with certbot --manual (without any webhooks) cannot be automated since the TXT DNS records or HTTP files - depending upon which authentication method you chose - have to be copied and pasted manually and therefore cannot be automated with a cron job. You have to repeat the same certbot --manual command you used to create the original cert.

system · November 6, 2021, 6:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.