My domain is: https://jsonip.com
I’m trying to track down why my Lets Encrypt setup isn’t automatically renewing certificates. This has been a 4x a year problem for at least the last year and I’m finally trying to find out what is going on.
I’ve replaced my email address with <redacted email>
in the matching places.
My server is running Ubuntu 16.04.5 and I’m running certbot 0.26.1.
I was reading through this tutorial and noticed in their example for the letsencrypt.timer
that the [Timer]
stanza has a Unit=letsencrypt.service
line that my configuration is missing. Is this the part that’s causing the renewal to fail?
The timers seem to be loaded (and I think running):
$ systemctl list-timers --al
Mon 2018-08-27 02:24:50 UTC 4h 4min left Sun 2018-08-26 02:05:53 UTC 20h ago letsencrypt.timer letsencrypt.service
Mon 2018-08-27 02:51:36 UTC 4h 31min left n/a n/a certbot.timer certbot.service
But the letsencrypt.service
isn’t showing as loaded or running:
$ systemctl | grep letsencrypt
letsencrypt.timer loaded active waiting Daily renewal of Let's Encrypt's certificates
The letsencrypt.timer
shows as loaded active waiting
. I don’t know if the timer is supposed to start the .service
when it triggers, or if the .service
should be permanent.
Below are the contents of the letsencrypt.service
and letsencrypt.timer
.
letsencrypt.service
[Unit]
Description=Let's Encrypt auto renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/letsencrypt renew --agree-tos --email <redacted email>
SyslogIdentifier=letsencrypt-log
letsencrypt.timer
[Unit]
Description=Daily renewal of Let's Encrypt's certificates
[Timer]
# once a day, at 2AM
OnCalendar=*-*-* 02:00:00
# Be kind to the Let's Encrypt servers: add a random delay of 0–3600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target
Finally, here are the logs from a couple of days ago from /var/log/letsencrypt/letsencrypt.log
. I examined other rotated log files going back a week and they all appear the same.
2018-08-23 02:39:21,050:DEBUG:letsencrypt.cli:Root logging level set at 30
2018-08-23 02:39:21,051:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-08-23 02:39:21,052:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2018-08-23 02:39:21,052:DEBUG:letsencrypt.cli:Arguments: ['--agree-tos', '--email', '<redacted email>']
2018-08-23 02:39:21,052:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2018-08-23 02:39:21,059:DEBUG:letsencrypt.cli:Requested authenticator and installer
2018-08-23 02:39:21,060:DEBUG:letsencrypt.cli:Default Detector is Namespace(account='', agree_dev_preview=None, apache='', authenticator='', break_my_certs='', cert_path='/', chain_path=None, checkpoints=0, config_dir='', config_file=None, configurator='', csr='', debug='', domains=[], dry_run='', duplicate='', email='<redacted email>', expand='', fullchain_path=None, func=<function renew at 0x7f008246b578>, hsts=False, http01_port=0, ifaces='', init='', installer='', key_path='/', logs_dir='', manual='', manual_public_ip_logging_ok=False, manual_test_mode=False, nginx='', no_self_upgrade='', no_verify_ssl=False, noninteractive_mode='', os_packages_only='', prepare='', redirect=None, register_unsafely_without_email='', reinstall='', renew_by_default='', rsa_key_size=0, server='', staging='', standalone='', standalone_supported_challenges='tls-sni-01,http-01', store_false_vars={'--no-hsts': True, '--no-uir': True, <letsencrypt.cli.HelpfulArgumentParser object at 0x7f0081f12650>: True, '--no-redirect': True}, strict_permissions='', text_mode='', tls_sni_01_port=0, tos=True, uir=None, user_agent=None, verb='renew', verbose_count=0, version='', webroot='', webroot_map={}, webroot_path=[], work_dir='')
2018-08-23 02:39:21,066:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2018-08-23 02:39:21,073:DEBUG:parsedatetime:CRE_UNITS matched
2018-08-23 02:39:21,073:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2018-08-23 02:39:21,073:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2018-08-23 02:39:21,073:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2018-08-23 02:39:21,073:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2018, tm_mon=8, tm_mday=23, tm_hour=2, tm_min=39, tm_sec=21, tm_wday=3, tm_yday=235, tm_isdst=0))
2018-08-23 02:39:21,074:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2018-08-23 02:39:21,074:DEBUG:parsedatetime:units days --> realunit days
2018-08-23 02:39:21,074:DEBUG:parsedatetime:return
2018-08-23 02:39:21,074:INFO:letsencrypt.cli:Cert not yet due for renewal
2018-08-23 02:39:21,077:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2018-08-23 02:39:21,077:DEBUG:parsedatetime:CRE_UNITS matched
2018-08-23 02:39:21,077:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2018-08-23 02:39:21,077:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2018-08-23 02:39:21,077:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2018-08-23 02:39:21,077:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2018, tm_mon=8, tm_mday=23, tm_hour=2, tm_min=39, tm_sec=21, tm_wday=3, tm_yday=235, tm_isdst=0))
2018-08-23 02:39:21,078:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2018-08-23 02:39:21,078:DEBUG:parsedatetime:units days --> realunit days
2018-08-23 02:39:21,078:DEBUG:parsedatetime:return
2018-08-23 02:39:21,078:INFO:letsencrypt.cli:Cert not yet due for renewal
2018-08-23 02:39:21,078:DEBUG:letsencrypt.cli:no renewal failures