Renewal fails as cron and as command line task

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:
letsencrypt renew --dry-run

It produced this output:
Processing /etc/letsencrypt/renewal/kathyisawesome.com.conf
2016-09-06 14:54:45,028:WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/kathyisawesome.com.conf is broken. Skipping.
** DRY RUN: simulating ‘letsencrypt renew’ close to cert expiry
** (The test certificates below have not been saved.)

No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/kathyisawesome.com.conf (parsefail)
** DRY RUN: simulating ‘letsencrypt renew’ close to cert expiry
** (The test certificates above have not been saved.)
0 renew failure(s), 1 parse failure(s)

My operating system is (include version):
Windows 10

My web server is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Relatedly, I have

12 3,15 * * * letsencrypt renew

in my crontab. and I get the following email:

Subject: Cron leftback@mail letsencrypt renew

An unexpected error occurred:
IOError: [Errno 13] Permission denied: '/var/log/letsencrypt/letsencrypt.log’
Please see the logfile ‘letsencrypt.log’ for more details.

But there’s nothing new/current in the log file.

The crontab error looks like the problem is that when cron runs, it is running as somebody else than whoever owns /var/log/letsencrypt/letsencrypt.log, which is probably whoever ran it from the command line.

It might make sense to have cron run this job as somebody else, or, to use sudo (or whatever) to change the ownership of the log file to match whoever the cron job runs as.

The “broken” configuration file I have no instant recognition of, hopefully someone else can help better with that. It may help them if you can post the exact contents of /etc/letsencrypt/renewal/kathyisawesome.com.conf

Given the other problem could be worth checking who owns this file too ?

You need upgrade to certbot. That is one common error in Ubuntu 16.04 LTS in recent time because of recent switching from letsencrypt package to certbot package and Ubuntu 16.04 is not exactly updating their packages faster. You have not done anything wrong.

I checked your header, you are Apache user. I have ready to use guide to update things to latest but it is for Nginx - certbot-ubuntu-letsencrypt-16-04-error-fix. In case you are going to follow my way, kindly do not run the commands first. Read and understand the situation why it is written. You may follow the initial steps of that guide but you need to generate certificate in official Apache’s way as you are Apache user - https://certbot.eff.org/docs/using.html#apache . My guide was for same situation for the Nginx users. It will give you the idea what is the easiest solution.

In short, you’ll clone the Github repo of certbot, remove apt version letsencrypt and run commands to generate certificate freshly.

In case you want to debug and troubleshoot for some kind of advanced fix, run the command with -vvv. You will get lot of errors. The older package is not forward compatible. Try to run with sudo letsencrypt renew --dry-run. If you are successful that is great. You can see this Github discussion – https://github.com/certbot/certbot/issues/2550 if you want to manually correct the errors. That is difficult way but you may want. In short, you need to symlink, move lot of files. Thats too, not a forever fix.

Thank you for replying! I have followed AbhishekGhosh’s instructions to upgrade to certbot. That seems to be working for me.

Thanks for the reply! It’s tricky since all the docu has different information.

Homepage says to install letencrypt for Ubuntu
Docu says run certbot-auto
and your instructions say run certbot

With your instructions I do have a new certificate! so that’s a plus. I had some trouble restarting apache but figured out that I was trying to include a conf file that no longer exists in the updated certbot files. Also, I figured out that to prevent needing to stop Apache I had to use the --webroot flag exactly like in your tutorial.

Here’s what I did for anyone else who finds this:

sudo apt-get purge --auto-remove letsencrypt

sudo apt update
sudo apt install git

sudo git clone https://github.com/certbot/certbot /opt/certbot
sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot

certbot certonly --webroot -w /var/www/example.com -d example.com -d www.example.com

NB: my apache sites were already configured to look in
/etc/letsencrypt/live/example/fullchain.pem

But I had to remove the line from my /etc/apache2/sites-available/default-ssl.conf

Include /etc/letsencrypt/options-ssl-apache.conf

since that not longer exists, and trying to include it prevents apache from starting.

Thank you!

I spoke too soon. I have upgraded to certbot and sorted out my config files, but the cron command still doesn't succeed. Now, the emails that cron generates are saying providing the following error:

cron certbot renew Requesting root privileges to run certbot no tty present and no askpass program specified

So there's still some kind of permissions error. Manually trying letsencrypt renew --dry-run does request sudo creds. Is sudo the only way to run letsencrypt?

Hi @helgatheviking, probably certbot should be run from root’s crontab rather than from an individual user’s crontab. It does require root privileges for some tasks on most systems.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.