Renew all certificate using cron


#1

Hi friends,
on a VPS Debian Jessie Apache2, for the cron renew procedure, where all certificates were obtained with the “certonly” and “webroot” options, and a cli.ini very basic, is it correct run this command?

* 1 * * 1 /etc/certbot-auto renew --quiet

The new certificates, are downloaded within the previous directory, and every links updated automatically without need to human intervention? :slight_smile:

many many thanks!


#2

That’s a cron command ( from the * 1 * * 1 at the beginning) - which will run once per week. That should be fine though.

Personally I run my renew on a daily basis, but no real problem with weekly.

Depending on your setup, you may need to run the additional command --renew-hook “service apache2 reload” (or whatever is needed in your setup ) to load the new certs into your webserver.


#3

What do you mean about “Depending on your setup”?
Why to reload the web server? The previous keys was on Apache cache? So the server reload update the keys?

Many many thanks again! :wink:


#4

Correct

For a number of reasons 1) I don’t know if you are using certs for your mail server for example, so I don’t know if you also need to reload that. 2) this post will be read by others, and if I just say “you need to add …” then others, who may have nginx or some other system might think that they need to type the same command :wink: and 3) you may use “apachectl graceful” instead of “service apache2 reload” in your system.


#5

That command doesn’t look right to me - do you really have the certbot-auto program itself installed directly in /etc? That isn’t a typical location for it - usually it’ll be in /usr/bin or /usr/local/bin or the like, depending on how you installed the certbot tool.

Also, that cron job is very strangely-specified; it says to run every minute from 1:00 AM - 1:59 AM on every Monday. (In reality it would probably run every two minutes during those time periods, but that’s still very strange.) A better time specifier might be something like 17 */12 * * * which means run every 12 hours at 17 minutes past the hour, every day. Or if you just want to run once a day use @daily, or @weekly for once a week (however the standard configuration suggests running twice a day to handle revocations et al).

Run man 5 crontab for an explanation of what the fields mean and some useful examples of how to set up a timespec.


#6

Hi _fluffy, and thanks for your help.

You are right, I had taken an “old” usage example.
certbot is on /usb/bin/

However if the certificate can be renewed starting from one month before the deadline, don’t just run it once a week? :confused:

5 8 * * Sat /usr/bin/certbot renew --quiet -renew-hook “service apache2 reload”


#7

You can run the renewal step less often, but the reason to suggest once a day (or twice as @_fluffy mentioned) is that if something goes wrong (e.g. suppose Let’s Encrypt has a network fault and is offline for one hour just when you try to renew) you get more chances for it to be fixed and work before things get urgent.

It’s up to you of course.


#8

With new client…

1 0 * * * letsencrypt renew --no-self-upgrade >/dev/null && service apache2 reload


#9

It must not be a very new client, since letsencrypt was renamed to certbot in May.


#10

I prefer doing it this way personally, I have a bash script in /bin/certbotrenew.sh

#!/bin/bash
cd /opt/certbot
sudo ./certbot-auto renew >> /var/log/certbot-renew.log
sudo service nginx reload
mail -s "CERTBOT Renewals" me@gmail.com < /var/log/certbot-renew.log
exit 0

and then my cron is

00 20 * * 1 /bin/certbotrenew.sh

Never missed a single renewal yet.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.