None of the certbot commands work without sudo. All produce this output:
An unexpected error occurred:
ImportError: cannot import name 'constants'
Please see the logfile '/tmp/tmp6ril8qt7/log' for more details.
With sudo, everything works fine, that is, creating, renew, etc. Problem is, I can’t create a crontab since running certbot renew --quiet (changed quiet for dry-run just testing first) always give error above.
Any idea how can I make it work without sudo? I’m guessing it needs sudo since all installs used sudo, but not quite sure.
Certbot relies on root access to your server, so you can't really run certbot without sudo.
There are clients that support non-root accounts or without sudo access, like acme.sh.
You can find the full list here: letsencrypt.org/docs/client-options/
I’m reading about the certbot-auto @ https://certbot.eff.org/docs/install.html#certbot-auto. Does it auto renew without need of sudo? I wanted to avoid using it since it’s just a wget instead of actually having apt managing it’s version (so I would not get notification of upgrades if I just wget it and setup).
Anyway, after further research, I had a wrong assumption that setting a crontab command with sudo would fail since it would request the password…
According to this https://askubuntu.com/a/173930/157139 if I run sudo crontab -e, it would run any commands on it as sudo already, so no sudo is needed for the commands recorded itself, meaning I can just put certbot renew --quiet without issues.
I’m hoping this is correct and it’ll renew for me when needed
43 04 * * * root /usr/bin/certbot renew --post-hook "systemctl reload nginx" (on one line)
Check the correct path of certbot with sudo which certbot. It’s a good idea to use full path-names to certbot or any other executable in cron or shell scripts.
Also declare the root user in your cron entry.
“sudo” is your friend. get comfortable with it.
Careful with this: if you're editing /etc/crontab or another system-wide crontab, you do need to declare the root user, but if you're editing the personal crontab of the root user (e.g. with crontab -e as root), you don't and shouldn't (because the user field should never be present in a user's personal crontab).
I recommend to put the job into the /etc/cron.daily directory. Jobs started from this place has big enough start time randomization to avoid load picks at wall clock hour change.
I’m doing sudo crontab -e and then adding the line, so if I gt it right, I’m supposed to add root before the path since sudo crontab edits the /etc/crontab.
for the post-hook, do I need to make the path for everything too? Like /bin/systemctl reload nginx or /usr/local/bin/pm2 restart all? Example:
By the way, regarding the /etc/cron.daily comment. I see it is a folder, not a file. So how does it work? I see there are a bunch of files on it, most are shell scripts.
I just drop a new file on it, set to executable -x and write whatever bash inside?
Looking at a command I found on askubuntu grep run-parts /etc/crontab:
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
So my vps would run dailies on 6:25AM it seems.
Does run-parts work like crontab? How it works for the binaries, I need to put complete path when invoking? Do they run as sudo too? Would I need to prepend root before the command as well?
That's not correct; it edits root's personal crontab file and should not include usernames. (See the difference between cat /etc/crontab and sudo crontab -e.)
That's right, run-parts runs each executable in that directory. So if you put an executable shell script there, it will be run automatically every day.
schoen, bruncsak, rip, stevenzhu.
Thank you all for the replies. I think it is solved now.
Regarding that, I found something curious
which certbot
/home/raphaelddl/.local/bin/certbot
sudo which certbot
/usr/bin/certbot
the sudo one works fine, this one from .local that gives the ImportError: cannot import name 'constants' error.
certbot makes a copy or symlink into .local or is that some issue with installation? I remember when I installed the cloudflare dns plugin the first time, instead of import error, I was getting mismatch version which was super odd, so I uninstalled the version and tried again. Maybe it's a leftover?
