Server doesn't update certificates automatically


#1

So, we have a cron job to run every morning, thinking that it was auto-renewing the certificates. However, yesterday we hit the 90 days and discovered that they weren’t updated. I’ve done this manually (logging in to shell and running certbot-auto to configure them), which works fine. However, the cron job doesn’t.

Here’s an error from the log file -

2018-01-23 03:37:04,284:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-02-12 09:59:34 UTC.
2018-01-23 03:37:04,285:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2018-01-23 03:37:04,300:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-01-23 03:37:04,312:DEBUG:certbot.plugins.disco:No installation (PluginEntryPoint#nginx):
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/disco.py", line 130, in prepare
    self._initialized.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 150, in prepare
    raise errors.NoInstallationError
NoInstallationError
2018-01-23 03:37:04,314:DEBUG:certbot.plugins.selection:No candidate plugin
2018-01-23 03:37:04,314:DEBUG:certbot.plugins.selection:No candidate plugin
2018-01-23 03:37:04,314:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2018-01-23 03:37:04,314:INFO:certbot.main:Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()
2018-01-23 03:37:04,315:WARNING:certbot.renewal:Attempting to renew cert (stage.adsfs.tgmg.cloud) from /etc/letsencrypt/renewal/stage.adsfs.tgmg.cloud.conf produced an unexpected error: The nginx plugin is not working; there may be probl\
ems with your existing configuration.
The error was: NoInstallationError(). Skipping.
2018-01-23 03:37:04,322:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 425, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 736, in renew_cert
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/selection.py", line 201, in choose_configurator_plugins
    diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/selection.py", line 297, in diagnose_configurator_problem
    raise errors.PluginSelectionError(msg)
PluginSelectionError: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

Would this be a problem with certbot-auto (not being happy with the nginx plugin)? How do I check if I have the nginx plugin installed and that it’s working?
TIA


#2

Hi @kabads,

What command is run from your cron job to perform the renewal? What command did you run that caused the renewal to work successfully?


#3

cron job is:

37 3 * * * /usr/local/bin/certbot-auto renew --no-self-upgrade --post-hook "systemctl reload nginx"

and the manual command was:

certbot-auto --no-self-upgrade renew

What is it about the cron version that might not make it work? Does the --no-self-upgrade prevent it from running if it’s out of date?


#4

Hi @kabads,

I checked in with my colleagues and found out that this means that your nginx binary is not in the PATH when you’re running from crontab, but it is in your PATH when you’re running on the command line.

You can probably find out what the directory in question is by running which nginx on the command line. It’s also possible to declare a PATH in crontab.


#5

Thank you @schoen - I was looking at paths from other posts and came up with this as a script:

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/usr/local/bin/certbot-auto renew --nginx --no-self-upgrade 

However, I’ve just run this via cron, and I’m not getting anything in the log files.


#6

Like not at all in /var/log/letsencrypt?

By the way, renew --nginx is not a good idea. renew already remembers what method you used to authenticate before. You don’t want to change the authentication method just because you’re doing a renewal. (However, that’s not related to your question.)


#7

/var/log/letsencrypt/letsencrypt.log exists and has an entry from me running the command earlier today - but nothing from the cron jobs, that refer to the script - the cron jobs are running as they are listed in /var/log/syslog. Very strange.

I’ll take out the reference to --nginx.


#8

You could try adding a touch /tmp/$$ to your script or something so you can see side effects to confirm whether it’s running.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.