OSX certbot auto renewal failing bc of sudo

loucapo · March 11, 2024, 6:19pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
dsatoolkit.ddnsfree.com

I ran this command:
sudo /opt/local/bin/certbot renew

It produced this output:
with sudo:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

without sudo:

The following error was encountered:
[Errno 13] Permission denied: '/Users/loucapo/letsencrypt/logs/letsencrypt.log'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-565h53zr/log or re-run Certbot with -v for more details.

My web server is (include version):
NodeJS approx v14, with express

The operating system my web server runs on is (include version):
OSX 10.13.6 High Sierra

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

I couldnt find anything in the server that lead me in the right direction. Any help is greatly appreciated.

Basically i cant get it to autorenew bc of the errors listed above. these occur when my cron job runs.

Thanks!

jvanasco · March 11, 2024, 9:30pm

the first error is likely because sudo isn't configured to run for the user without a password. you can search for general "sudo osx" information to get that to work.

usually people will use one of two options:
1- invoke binary on the root crontab, not a user
2- create a new user/group that has privileges for the directories, and run as that user/group

the second error is because certbot is running as a user that can not access those files.

if you were on linux, the best solution is running as root.

since you're on osx, it's a bit of pain IMHO. personally, I just invoke certbot as my normal user and use the commandline flags to specify an alternate directory structure instead of /etc/letsencrypt:

make a userspace certbot directory

mkdir -p ~/certbot/config
mkdir -p ~/certbot/work
mkdir -p ~/certbot/logs

run certbot like this

certbot \
--config-dir=~/certbot/config \
--work-dir=~/certbot/work \
--logs-dir=~/certbot/logs \
{commands/flags}

That's my personal preference. It works across all OSX versions, while doing things by correctly leveraging the OS is apt to change every few releases because that's just what apple does.

loucapo · March 15, 2024, 4:05pm

thanks for the tips!

so number one sounds easier, lol and so thats what i would like to do. i just dont know how to do that and my google searching is failing bc i am probably using the wrong terms.

rg305 · March 15, 2024, 5:01pm

Start with:
man crontab

system · April 14, 2024, 5:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.