[OS X Server 10.11.4] [crontab] certbot renew


#1

Hi!

I am running OS X Server version 10.11.4 as webserver hosting (using Apache managed by OS X Server App) and i installed certbot using this command in the terminal:

brew install certbot

Everything went ok and certbot was installed successfully.
Now i can create new SSL certificates, update them using “sudo certbot renew” command and it is everything ok with that - i just need to use “sudo” before the command as i think it is supposed to be!
My websites are secured and working well with these certificates.

The problem was when i tried to create a cronjob to automatically renew my certeficates: i can’t use the “sudo” word in the cronjob because it will ask me the password when the job is fired to be executed. Because of that, i created a cronjob as root using this command:

sudo crontab -e

… and i created this every-minute job (just for testing… after i will fire it only twice a day):

*/1 * * * * sh /Volumes/HD2/letsencrypt/renew_all.sh

My “renew_all.sh” file is:


#!/bin/sh

DOMAIN_DEFAULT="bizeepro.no-ip.org"
PEM_FOLDER="/etc/letsencrypt/live/${DOMAIN_DEFAULT}/"
LOG_FOLDER="/Volumes/HD2/letsencrypt/logs"
DATE=$(date +"%d-%m-%Y %H_%M_%S")
LOG_FILE="${LOG_FOLDER}/${DATE}.log"

# Retrieve certificate
sudo certbot renew --manual-public-ip-logging-ok --agree-tos > $LOG_FILE 2>&1        

# Check that everything went fine
LE_STATUS=$?

if [ "$LE_STATUS" != 0 ]; then
    echo Automated Get certificate failed:
    cat $LOG_FILE
    exit 1
fi

# Generate a passphrase
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)

# Transform the pem files into a OS X Valid p12 file
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

# import the p12 file in keychain
sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

The script is being executed every minute but it is giving me this error (i can see that in the log file):
“sudo: certbot: command not found”

It seems that, because the cronjob is being executed in root mode, certbot command is not being find. I already tried to remove “sudo” and let only “certbot renew --manual-public-ip-logging-ok --agree-tos > $LOG_FILE 2>&1” and the problem is the same --> the error message is “certbot: command not found”.

If, in the terminal, i execute the script manually, like this:

sh renew_all.sh

i get this:

unable to write 'random state’
1 identity imported.
2 certificates imported.

However, if i execute the command in the terminal as root, it works well:

sudo certbot renew

The result is:


Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bizeepro.no-ip.org.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/gestclinic.ddns.net.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/bizeepro.no-ip.org/fullchain.pem (skipped)
/etc/letsencrypt/live/gestclinic.ddns.net/fullchain.pem (skipped)


I know this is a common question but i already searched 1000 pages related with this problem and i can’t figure out how to solve it. I don’t understand why the command works in root mode, after write “sudo certbot renew” in the terminal and doesn’t work in root mode when it is executed by the cronjob.

Can anybody help me with this problem please?

Thank you very much!


#2

Your crontab and sudo might be using different search paths. Maybe try

echo $PATH > /tmp/cron-path

at the beginning of your renew script, and see the difference, if any, from

sudo env | grep PATH

at your prompt. You can also find out where certbot is being run from via

sudo which certbot


#3

Hi schoen!

Yes, you were right!
I found the solution in this other thread and when i came back here to update my post and write the solution, i also found your reply and the problem was exactly the one you said: the environment cron was seeing was not quite the same as mine.

I wrote in the terminal:

echo $PATH

and i got:

/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/Server.app/Contents/ServerRoot/usr/bin:/Applications/Server.app/Contents/ServerRoot/usr/sbin

Then, i just added this line to the begining of my renew script:

PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/Server.app/Contents/ServerRoot/usr/bin:/Applications/Server.app/Contents/ServerRoot/usr/sbin

After that, the script worked well.

I hope this can help someone else with the same problem.

Thank you for replying! :slight_smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.