New certificates every week

I’m using the cron commands below to check for expiring certificates each week, and if found, to renew the certs. Instead, I’m getting new certs issued every week, even if the current certs are not about to expire.

Is there a better way to do this? This is for an email only server. Thanks.

36 2 * * 3 root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log

36 3 * * 3 root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d mydomain1 -d mydomain2 -d mydomain3 -d mydomain4 >> /var/log/letsencrypt/letsencrypt-auto-update.log

Hi @LE-thanks,

I think you might have been using an old tutorial for your setup, because we renamed letsencrypt-auto to certbot-auto about a year ago. Also, you’re using the old option --renew-by-default, which we’ve changed the name of because we were afraid it would confuse people in exactly this way.

The new name of --renew-by-default is --force-renewal, which might give you an idea of what the problem is and why we changed the name to make its action clearer. :slight_smile:

When you use --force-renewal or --renew-by-default, you are saying that you want the certificate to be renewed immediately. This is apparently the opposite of what you meant; the contrasting option which would be more appropriate in your situation is --keep-until-expiring.

However, we also implemented a feature called certbot renew, which looks at all of your certificates and renews only those that will expire in less than 30 days. This is meant to be run once per day or even more often, in the hope of renewing as soon as possible after reaching that 30-day window (and hence also having more time to respond if anything goes wrong).

In your setup, this would look something like

36 3 * * * root /opt/letsencrypt/certbot-auto renew --quiet

Specifying --standalone should not be necessary if that was the method most recently used to obtain or renew the certificates, because the authentication method is remembered for you in a file in /etc/letsencrypt/renewal that describes each certificate that you have.

There’s another point that certbot-auto is already intended to update itself when it’s run (without having to do the git pull), so it may be possible to get rid of the git command, which may be somewhat redundant with what certbot-auto itself will do.

4 Likes

@schoen, thanks so much for the prompt and detailed reply. It’s much appreciated.

The specific domains to be renewed are pulled via the .conf file in /etc/letsencrypt/renewal folder and should not be included in the cron command, right?

If I want to later add new domains to the existing certificate, my understanding is I’d issue a command with the --expand option. Afterwards, your cron command above would not need to be changed, since the new domains would have automatically been added to the .conf file. Is this correct?

Thanks again.

That’s right! Please note that when you use --expand, you should specify the complete new list of domains that the certificate will cover, not just those that you want to add.

Got it. Much appreciated. Cheers!

As a super-tiny correction, we considered having the domains listed in the .conf file, and it is technically possible to list them there, but we ended up deciding against this design and instead choosing to use the existing certificate as the canonical source for what domains should be included when the certificate is renewed. So whenever you run certbot renew, it is actually looking at the existing cert to get the list of domains, even though it looks at the .conf file for many other purposes.

So if I had multiple certificates, there would be multiple .conf files in the renewal folder (commonName1.conf, commonName2.conf, etc), and certbot-auto renew would check them all whenever the cron job runs?

Yep, that’s exactly right.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.