Running letsencrypt renew only once every two months is a bad idea.
Tell that to Let’s Encrypt. They suggest you can renew it every 2 months in their own documentation.
Even if you force the renewal to run every time by using --force-renewal, you still have the problem that sometimes renewals can fail for any reason (you changed your configuration, or LE had a temporary outage, or …) and in the event of a failure, you don’t try again until long after your certificate has expired.
Is that not what Server Admin’s are for? When the automatic scripts fail, the Admin steps in to fix the issue… They even say in the documentation that you must still monitor the server even though it is automated… What admin would ignore a single server? Show me one, and I’ll show you a bad Admin All of the above problems would be experienced renewing in 1, 2,10,30,60, and 90 days, so whats the difference?
What you should do is what I recommended above: run letsencrypt renew or certbot renew from cron once or twice a day, and use --post-hook to ensure you’re not needlessly restarting your web server, as the post-hook only runs when a renewal is actually attempted. You can also use service nginx reload instead of restart for even less downtime.
What one should and shouldn’t do is vague. What you think one should do is simply an opinion. Yes, using the post-hook is a better option, I’ll give you that - I did not know about that cli argument. What downtime? You mean the split second that it takes for NGiNX to restart? I can put a page on auto refresh, every 1 second, restart NGiNX and have 0 “page not displayed” errors… The time NGiNX takes to restart is only a fraction of a second (unless there are config errors of course) In fact, I perceive that as an insult towards NGiNX, considering it’s efficiency.
(Also… /etc/crontab requires a username in addition to the usual time-and-date fields; and the certbot certonly command in your last line doesn’t renew all domains, only the one specified in the command) <
No, no it does not. Not if you are editing the system crontab, and not even if you are editing a users crontab. The way it is set up in Debian 8 at least, is each user has their own crontabs. Therefore there is absolutely 0 need to specify a username. You can if you want though.
The crontab entry I suggested adding as root, making it a system wide crontab (more accurately a crontab owned by root) Alternatively, you could instead of SU to root, stay as a regular user (as long as its the user of the website requesting the cert)
Furthermore if someone sees “www.example.com” or a domain where their domain should be, and they dont see a way to add multiple domains, they kind of figure out to just repeat the same steps for each domain…