I am able to perform a certbot renewal using the commands below, no issues. But when the same commands are executed using cron, they generate an error. Details follow:
- Manual commands that work successfully:
admin@4D-M1-Prod NGINX % nginx -s stop
admin@4D-M1-Prod NGINX % sudo /opt/homebrew/bin/certbot renew
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/prod.mbmdb.net.conf
Renewing an existing certificate for prod.mbmdb.net
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/prod.mbmdb.net/fullchain.pem (success)
admin@4D-M1-Prod NGINX % nginx -p '' -c nginx.conf
admin@4D-M1-Prod NGINX %
- Root level crontab runs the following script:
renew Letsencrypt certificate for NGINX web server
run from root crontab
CURRENTDATE=$(date +%c)
echo "\nChecking Letsencrypt cert renewal status at "$CURRENTDATE"\n" >> /Users/admin/Desktop/certbotRenew.txt
cd /Users/admin/Documents/NGINX
nginx -s stop >> /Users/admin/Desktop/certbotRenew.txt
sleep 3
/opt/homebrew/bin/certbot renew >> /Users/admin/Desktop/certbotRenew.txt
sleep 3
nginx -p '' -c nginx.conf >> /Users/admin/Desktop/certbotRenew.txt
The output from the above script is:
Checking Letsencrypt cert renewal status at Wed Apr 10 23:45:00 2024
Processing /etc/letsencrypt/renewal/prod.mbmdb.net.conf
Renewing an existing certificate for prod.mbmdb.net
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: prod.mbmdb.net
Type: unauthorized
Detail: 24.247.206.182: Invalid response from MBM Giving "<html lang="en"><link rel="preconnect" href="https://fonts.gstatic.com" crossorigin="">\n <meta charset="ut"
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
QUESTION: The scheduled cron run script is run from the root level cron. Why does it produce different results compared to using sudo to manually run the same command? The nginx server is running on port 80, but as you can see, it is stopped ahead of running the cert renewal, so there should not be a conflict when/if your process starts up a temporary server on port 80. I put sleep commands in to provide a delay but this did not address it.
My domain is: prod.mbmdb.net
Server version:
nginx/1.25.3
The operating system my web server runs on is (include version): MacOS Sonoma 14.4.1
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 2.7.4