Renewal help for standalone with cron job


#1

Hi Nik,
Can you share me about your solution for renew automatically?
I used standalone plugin to create certs on my webserver Nginx also

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto certonly --standalone

I can renew manual by

service nginx stop
/opt/letsencrypt/letsencrypt-auto renew
service nginx restart

But hard to do it automatically via crontab. Adding this lines to crontab doesn’t work

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log && service nginx reload

I have researched about some cases but mostly cert was created by webroot plugin
Can I edit /opt/letsencrypt/examples/cli.ini then run script renew on it?

30 1 * * 1 /opt/letsencrypt/letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini >> /var/log/le-renew.log && service nginx restart


Renew a cert with webroot plugin which was generated with standalone plugin
#2

I split this off into a new thread because I don’t think it’s about the original thread’s topic.

@kazeuraki, it seems like your cron job has the problem that it’s missing the service nginx stop and service nginx restart. There is now a feature called --pre-hook and --post-hook for this; how about something like

/opt/letsencrypt/letsencrypt-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/le-renew.log

instead?

The --renew-by-default version that you quoted at the bottom is kind is unfortunate because it will renew the certificate in question every week, which is more often than necessary.

To summarize a few points:

① If you’re using --standalone for your certificates, you typically want to service nginx stop and service nginx start before and after actually doing a renewal, because the standalone configurator will want to use the TCP ports that your web server was using.

② If you’re using letsencrypt-auto renew and similar forms, it decides for you whether or not to renew each individual certificate. This command can be run very frequently (it does not need to be run only once per week or only once per month). However, for renewing --standalone certificates, it still wants to stop and restart the web server, which can be done with --pre-hook and --post-hook. For other certificates, you will need some way to at least reload or graceful restart the web server configuration when a renewal happens (which could be done with --renew-hook).

③ If you’re using certonly --renew-by-default (which is now normally written as certonly --force-renew), it will try to renew the specified certificate at the time the command is run. If run very frequently, that can trigger Let’s Encrypt rate limits. The certonly subcommand acts only on a single specified certificate, not on multiple certificates. This is normally not recommended with cron jobs, although it’s theoretically possible to use it with them if you understand Certbot and cron well and are careful. For --standalone certificates, this would also still need a command to stop and restart the web server.

I hope that’s clear; there are a lot of details here.


#3

Thank for your support.
① Did this command can renew all certs installed inside my VPS? or only one cert one time. My VPS install domainA and domainB and Let’s Encrypt for each domain as well.
Follow your advice, i change my crontab to

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew --pre-hook “service nginx stop” --post-hook “service nginx start” >> /var/log/le-renew.log

It will take 30 days to test so I will feedback later
② Thank you so much for recommend this feature. Previous, my crontab is

28 2 * * 1 service nginx stop
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log && service nginx reload

I’m trying to avoid using it cause this will stop webserver whether certs are renewed or not. So, --pre-hook and --post-hook wil stop&start webserver only when need to renew certs.
③ Thank you for warning --renew-by-default. It will trigger rate limit (5 certs in 7 days). I will not use it anymore
Last but not least, THANK YOU SO MUCH


#4

It should attempt to renew all certs that are less than 30 days away from expiry.

I hope this version works well for you; please let us know if you have any problems in the future!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.