--max-log-backups does not work for me

jobst · February 15, 2022, 11:04pm

I am running certbot (1.23.0) on all of my machines (CentOS7.X, snapd) with the following command once a night:

/bin/certbot renew --max-log-backups 25 --non-interactive --no-bootstrap --no-self-upgrade --renew-hook /etc/letsencrypt_renewhook

yet every single machine has 300 logfiles or more.

Since I have the problem on every machine I have I can only assume "max-log-backups" does not work.

Just to be sure: am I doing something wrong?

_az · February 15, 2022, 11:27pm

The Certbot snap comes with its own systemd timer for automatic renewal. Setting up an additional cron job is not necessary.

These flags are related only to the deprecated certbot-auto script, you can remove them.

If you would like the Certbot renewal task to be affected by these flags, I suggest putting them in the global /etc/letsencrypt/cli.ini file:

 max-log-backups = 25
 renew-hook = /etc/letsencrypt_renewhook

Osiris · February 16, 2022, 7:09am

Isn't --renew-hook written in the renewal configuration file?

_az · February 16, 2022, 7:15am

Yes, one could alternatively configure deploy_hook in the /etc/letsencrypt/renewal/*.conf file for that individual certificate.

I try to avoid giving advice which involves modifying the .conf files, at least until we have a better way to do it .

9peppe · February 16, 2022, 7:15am

cli.ini applies to every cert and it's supposed to be user editable.

The renewal configuration file is not supposed to be edited.

(I don't get setting the same renew hook for all certs, tho)

Osiris · February 16, 2022, 9:13am

I meant: if you run renew with a new option such as --renew-hook, wouldn't that new option be saved into the renewal conf file by Certbot itself? If not, why not?

_az · February 16, 2022, 9:54am

Yes, OP could also run a force renewal with a --deploy-hook and avoid having to keep it in cli.ini. That's the recommendation in the documentation.

jobst · February 16, 2022, 8:39pm

I just read all replies - I will take up some of the suggestions made, thank you.

However, nobody commented on the fact that "--max-log-backups 25" isn't working for me - at all, as the title of the topic suggests this is my problem and still is.

rg305 · February 16, 2022, 9:31pm

It may have skipped that for several reasons.
Like:

because some of the other parameters were "obsolete" and conflicted/confused certbot
the expected log rotation service is not installed/supported by the underlying OS

I would try it again without the "obsolete" parameters.

MikeMcQ · February 16, 2022, 10:19pm

Have you used --max-log-backups from the beginning? Or did you add this after you noticed you had numerous log files?

I ask because it may not behave as you expect. I thought it would immediately trim my log history to the max but it does not. It rotates the latest X (25) logs going forward but any beyond that are orphaned.

Could this explain your situation?

rg305 · February 16, 2022, 10:22pm

Interesting...
@jobst
What shows
ls -ltr | tail -n 30
[on that directory]

jobst · February 17, 2022, 12:27am

From the beginning.
At stages I actually have done a "rm -fr *" in the certbot logfile directory yet they still keep growing.

system · March 19, 2022, 12:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.