Ubuntu 18 - certbot commands don't work without sudo

Hello there,

My domain is: epicsevendb.com

Using NGINX 1.17.3 in an Ubuntu 18.04 @ DigitalOcean (Droplet)
Certbot 0.31.0 installed.

I ran the commands for installing as described in docs for “Ubuntu” in https://certbot.eff.org/docs/install.html#operating-system-packages
I also installed the cloudflare plugin with sudo apt-get install python3-certbot-dns-cloudflare

None of the certbot commands work without sudo. All produce this output:

An unexpected error occurred:
ImportError: cannot import name 'constants'

Please see the logfile '/tmp/tmp6ril8qt7/log' for more details.

With sudo, everything works fine, that is, creating, renew, etc. Problem is, I can’t create a crontab since running certbot renew --quiet (changed quiet for dry-run just testing first) always give error above.

Any idea how can I make it work without sudo? I’m guessing it needs sudo since all installs used sudo, but not quite sure.

Best,
Raphael

Hi,

Certbot relies on root access to your server, so you can’t really run certbot without sudo.
There are clients that support non-root accounts or without sudo access, like acme.sh.
You can find the full list here: letsencrypt.org/docs/client-options/

Thank you

Thank you for the reply.

I’m reading about the certbot-auto @ https://certbot.eff.org/docs/install.html#certbot-auto. Does it auto renew without need of sudo? I wanted to avoid using it since it’s just a wget instead of actually having apt managing it’s version (so I would not get notification of upgrades if I just wget it and setup).

Anyway, after further research, I had a wrong assumption that setting a crontab command with sudo would fail since it would request the password…

According to this https://askubuntu.com/a/173930/157139 if I run sudo crontab -e, it would run any commands on it as sudo already, so no sudo is needed for the commands recorded itself, meaning I can just put certbot renew --quiet without issues.

I’m hoping this is correct and it’ll renew for me when needed :smiley:

Thank you again

Hi @RaphaelDDL

Your cronjob should look something like:

43 04 * * * root /usr/bin/certbot renew --post-hook "systemctl reload nginx" (on one line)

Check the correct path of certbot with sudo which certbot. It’s a good idea to use full path-names to certbot or any other executable in cron or shell scripts.

Also declare the root user in your cron entry.
“sudo” is your friend. get comfortable with it. :wink:

Hope that helps
Rip

1 Like

Careful with this: if you’re editing /etc/crontab or another system-wide crontab, you do need to declare the root user, but if you’re editing the personal crontab of the root user (e.g. with crontab -e as root), you don’t and shouldn’t (because the user field should never be present in a user’s personal crontab).

2 Likes

I recommend to put the job into the /etc/cron.daily directory. Jobs started from this place has big enough start time randomization to avoid load picks at wall clock hour change.

Okay, cool.

I’m doing sudo crontab -e and then adding the line, so if I gt it right, I’m supposed to add root before the path since sudo crontab edits the /etc/crontab.

for the post-hook, do I need to make the path for everything too? Like /bin/systemctl reload nginx or /usr/local/bin/pm2 restart all? Example:

0 4 * * * root /path/to/certbot renew --quiet --post-hook "/bin/systemctl reload nginx && /usr/local/bin/pm2 restart all"
OR
0 4 * * * root /path/to/certbot renew --quiet --post-hook "systemctl reload nginx && pm2 restart all" is enough?

ps.: every day at 4am

90% of the people start at pill 0 minutes at hour change, so huge load on the ACME server. Please randomize a bit the start time.

Will do. Changed to 39 4 :smiley:

By the way, regarding the /etc/cron.daily comment. I see it is a folder, not a file. So how does it work? I see there are a bunch of files on it, most are shell scripts.

I just drop a new file on it, set to executable -x and write whatever bash inside?

Looking at a command I found on askubuntu grep run-parts /etc/crontab:

17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

So my vps would run dailies on 6:25AM it seems.

Does run-parts work like crontab? How it works for the binaries, I need to put complete path when invoking? Do they run as sudo too? Would I need to prepend root before the command as well?

Thank you

That’s not correct; it edits root’s personal crontab file and should not include usernames. (See the difference between cat /etc/crontab and sudo crontab -e.)

1 Like

That’s right, run-parts runs each executable in that directory. So if you put an executable shell script there, it will be run automatically every day.

2 Likes

schoen, bruncsak, rip, stevenzhu.
Thank you all for the replies. I think it is solved now.

Regarding that, I found something curious

which certbot
/home/raphaelddl/.local/bin/certbot
sudo which certbot
/usr/bin/certbot

the sudo one works fine, this one from .local that gives the ImportError: cannot import name 'constants' error.

certbot makes a copy or symlink into .local or is that some issue with installation? I remember when I installed the cloudflare dns plugin the first time, instead of import error, I was getting mismatch version which was super odd, so I uninstalled the version and tried again. Maybe it’s a leftover?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.