Lets Encrypt not automatically renewing certificates

My domain is: https://jsonip.com

I’m trying to track down why my Lets Encrypt setup isn’t automatically renewing certificates. This has been a 4x a year problem for at least the last year and I’m finally trying to find out what is going on.

I’ve replaced my email address with <redacted email> in the matching places.

My server is running Ubuntu 16.04.5 and I’m running certbot 0.26.1.

I was reading through this tutorial and noticed in their example for the letsencrypt.timer that the [Timer] stanza has a Unit=letsencrypt.service line that my configuration is missing. Is this the part that’s causing the renewal to fail?

The timers seem to be loaded (and I think running):

$ systemctl list-timers --al

Mon 2018-08-27 02:24:50 UTC  4h 4min left  Sun 2018-08-26 02:05:53 UTC  20h ago letsencrypt.timer            letsencrypt.service
Mon 2018-08-27 02:51:36 UTC  4h 31min left n/a                          n/a     certbot.timer                certbot.service

But the letsencrypt.service isn’t showing as loaded or running:

$ systemctl | grep letsencrypt
letsencrypt.timer                                                                      loaded active waiting   Daily renewal of Let's Encrypt's certificates

The letsencrypt.timer shows as loaded active waiting. I don’t know if the timer is supposed to start the .service when it triggers, or if the .service should be permanent.

Below are the contents of the letsencrypt.service and letsencrypt.timer.

letsencrypt.service

[Unit]
Description=Let's Encrypt auto renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/letsencrypt renew --agree-tos --email <redacted email>
SyslogIdentifier=letsencrypt-log

letsencrypt.timer

[Unit]
Description=Daily renewal of Let's Encrypt's certificates

[Timer]
# once a day, at 2AM
OnCalendar=*-*-* 02:00:00
# Be kind to the Let's Encrypt servers: add a random delay of 0–3600 seconds
RandomizedDelaySec=3600
Persistent=true

[Install]
WantedBy=timers.target

Finally, here are the logs from a couple of days ago from /var/log/letsencrypt/letsencrypt.log. I examined other rotated log files going back a week and they all appear the same.

2018-08-23 02:39:21,050:DEBUG:letsencrypt.cli:Root logging level set at 30
2018-08-23 02:39:21,051:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-08-23 02:39:21,052:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2018-08-23 02:39:21,052:DEBUG:letsencrypt.cli:Arguments: ['--agree-tos', '--email', '<redacted email>']
2018-08-23 02:39:21,052:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2018-08-23 02:39:21,059:DEBUG:letsencrypt.cli:Requested authenticator  and installer 
2018-08-23 02:39:21,060:DEBUG:letsencrypt.cli:Default Detector is Namespace(account='', agree_dev_preview=None, apache='', authenticator='', break_my_certs='', cert_path='/', chain_path=None, checkpoints=0, config_dir='', config_file=None, configurator='', csr='', debug='', domains=[], dry_run='', duplicate='', email='<redacted email>', expand='', fullchain_path=None, func=<function renew at 0x7f008246b578>, hsts=False, http01_port=0, ifaces='', init='', installer='', key_path='/', logs_dir='', manual='', manual_public_ip_logging_ok=False, manual_test_mode=False, nginx='', no_self_upgrade='', no_verify_ssl=False, noninteractive_mode='', os_packages_only='', prepare='', redirect=None, register_unsafely_without_email='', reinstall='', renew_by_default='', rsa_key_size=0, server='', staging='', standalone='', standalone_supported_challenges='tls-sni-01,http-01', store_false_vars={'--no-hsts': True, '--no-uir': True, <letsencrypt.cli.HelpfulArgumentParser object at 0x7f0081f12650>: True, '--no-redirect': True}, strict_permissions='', text_mode='', tls_sni_01_port=0, tos=True, uir=None, user_agent=None, verb='renew', verbose_count=0, version='', webroot='', webroot_map={}, webroot_path=[], work_dir='')
2018-08-23 02:39:21,066:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2018-08-23 02:39:21,073:DEBUG:parsedatetime:CRE_UNITS matched
2018-08-23 02:39:21,073:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2018-08-23 02:39:21,073:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2018-08-23 02:39:21,073:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2018-08-23 02:39:21,073:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2018, tm_mon=8, tm_mday=23, tm_hour=2, tm_min=39, tm_sec=21, tm_wday=3, tm_yday=235, tm_isdst=0))
2018-08-23 02:39:21,074:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2018-08-23 02:39:21,074:DEBUG:parsedatetime:units days --> realunit days
2018-08-23 02:39:21,074:DEBUG:parsedatetime:return
2018-08-23 02:39:21,074:INFO:letsencrypt.cli:Cert not yet due for renewal
2018-08-23 02:39:21,077:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2018-08-23 02:39:21,077:DEBUG:parsedatetime:CRE_UNITS matched
2018-08-23 02:39:21,077:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2018-08-23 02:39:21,077:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2018-08-23 02:39:21,077:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2018-08-23 02:39:21,077:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2018, tm_mon=8, tm_mday=23, tm_hour=2, tm_min=39, tm_sec=21, tm_wday=3, tm_yday=235, tm_isdst=0))
2018-08-23 02:39:21,078:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2018-08-23 02:39:21,078:DEBUG:parsedatetime:units days --> realunit days
2018-08-23 02:39:21,078:DEBUG:parsedatetime:return
2018-08-23 02:39:21,078:INFO:letsencrypt.cli:Cert not yet due for renewal
2018-08-23 02:39:21,078:DEBUG:letsencrypt.cli:no renewal failures

Hi @geuis,

Your current certificate expires on September 29, 2018, and so the default renewal period hasn’t been reached. Just as the log file says, Certbot isn’t attempting to renew your certificate at all because it doesn’t believe it’s necessary to do so until later this week.

It’s also quite possible that there’s a problem with your automated renewals and that they’re failing for some reason, but you’ll be able to see that specific problem, if any, later on this week once the renewals are being attempted.

Hey @schoen. Yeah, I know that my current certificate is fine and certbot doesn’t need to renew it right now. My question is if my systemd letsencrypt.service and letsencrypt.timer are setup correctly. The problem I’m trying to solve is why the certs never auto renew on their own every 3 months like they should

I don’t see any evidence that the timer is broken, so I think there’s probably some other problem with the renewal process itself, which you should be able to see once the renewal is attempted.

Am I correct in that the letsencrypt.timer is running persistently in systemd, and that it will launch letsencrypt.service on its own? For example, why .service isn’t listed here:

$ systemctl | grep letsencrypt
letsencrypt.timer                                                                      loaded active waiting   Daily renewal of Let's Encrypt's certificates

Sorry, I don’t know enough about systemd to answer that question.

1 Like

@schoen Thanks for the help. Since you verified everything looked correct I did some more digging and now I think my problem has been that nginx hasn’t been reloading after the certs update.

I updated my letsencrypt.service to this to use the post-hook option:

[Unit]
Description=Let's Encrypt auto renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --agree-tos --email <redacted> --post-hook="service nginx reload"
SyslogIdentifier=letsencrypt-log

I tested /usr/bin/certbot renew --agree-tos --email <redacted> --post-hook="service nginx reload" with the additional --force-renewal and everything seemed to work and my certs updated. So I think this is the solution to the problem.

Please make sure your renewal config isn't update to include this option. I don't know if certbot would save that option, but better to be safe than sorry. Not very wise to update the cert daily :stuck_out_tongue:

I don't think it saves it—if you find an example where it does, that would be a serious bug!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.