Renew runs but always fails in crontab, works in shell

I have setup a cronjob for renewals, and although the cron will run, it will never renew the cert. it always returns the following in the log file (replaced mydomain with dummy):


Processing /etc/letsencrypt/renewal/mydomain.conf

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain/fullchain.pem (failure)

My cronjob looks like this:

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

This is not a cronjob problem per se (as far as I can tell) because it does issue the command, it does run, and it logs. It simply will never actually renew the cert.

In the shell directly, if I issue the command, it will work and properly renew.

Check this thread - Letsencrypt renew not working with cronjob, manually it works

I already did, I don’t think it applies since my cron runs just fine. There is no error msg related to the command not being able to run as in your other thread.

The fact that command starts does not necessarily mean it successfully runs (to clarify - the process might start, spawn or attempt to spawn an external process relying on particular environment variables to be present, return from that with an exit code indicating the failure and terminate). Change the command to

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log 2>&1

and re-check the log.

I agree with you that you’ve got a different problem here, since indeed that output is from the letsencrypt client code running.

However, I think the 2>&1 trick (what that does is send the output named stderr, used for errors, to join the standard output) is still a good idea, and also you might consider, while debugging trouble at least, adding -v -v -v to the command itself which will increase the verbosity (ie spew more detailed output)

Thanks for the advice I will modify the cron and check the logs.

slightly off topic but nice to know - I use 2>&1 if I’m piping the output, but if there’s a redirect to a logfile, it’s shorter and clearer to run command &>> logfile.log.

Enjoy!

Except that it doesn't always work (depends on the shell)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.