Unable auto renew by crontab under centos / nginx


#1

I have running a crontab task to automatically renew certificates but looks fail, does someone can help me to solving this issue, thank you very much.

#Let’s Encrypted renew at each Sunday PM16:58

10 17 * * 0 ./letsencrypt-auto certonly --renew-by-default -agree-tos --email myemail@qq.com -d mx.51server.cn


#2

Please provide more details, like the error you’re encountering when that command runs, and any log files from /var/log/letsencrypt.

You might also need to provide the full path to the letsencrypt-auto script in your crontab rather than ./letsencrypt-auto, unless the file happens to be located in whatever the working dir is for cronjobs.


#3

it’s just the crontab doesn’t works so I have received expiry notification email. below is the log of /var/log/letsencrypt.

could you please let me know the letsencrypt-auto script default path under CENTOS 7?

2016-10-05 23:28:15,439:DEBUG:certbot.main:Root logging level set at 30
2016-10-05 23:28:15,439:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-05 23:28:15,439:DEBUG:certbot.main:certbot version: 0.8.1
2016-10-05 23:28:15,440:DEBUG:certbot.main:Arguments: []
2016-10-05 23:28:15,440:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-10-05 23:28:15,453:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x1b9c810> and installer <certbot.cli._Default object at 0x1b9c810>
2016-10-05 23:28:15,453:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x1b8cad0>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x1b8ced0>, apache=<certbot.cli._Default object at 0x1b9c910>, authenticator=<certbot.cli._Default object at 0x1b9c810>, break_my_certs=<certbot.cli._Default object at 0x1b8dcd0>, cert_path=<certbot.cli._Default object at 0x1b9bcd0>, chain_path=<certbot.cli._Default object at 0x1b9bfd0>, checkpoints=<certbot.cli._Default object at 0x1b9b7d0>, config_dir=<certbot.cli._Default object at 0x1b9c110>, config_file=None, configurator=<certbot.cli._Default object at 0x1b9c810>, csr=<certbot.cli._Default object at 0x1b9b6d0>, debug=<certbot.cli._Default object at 0x1b8c310>, dialog_mode=<certbot.cli._Default object at 0x1b8edd0>, domains=<certbot.cli._Default object at 0x1b8e590>, dry_run=<certbot.cli._Default object at 0x1b8eb90>, duplicate=<certbot.cli._Default object at 0x1b8c950>, email=<certbot.cli._Default object at 0x1b8e710>, expand=<certbot.cli._Default object at 0x1b8e290>, fullchain_path=<certbot.cli._Default object at 0x1b9bed0>, func=<function renew at 0x1a677d0>, hsts=<certbot.cli._Default object at 0x1b96850>, http01_port=<certbot.cli._Default object at 0x1b8de50>, ifaces=<certbot.cli._Default object at 0x1b9bad0>, init=<certbot.cli._Default object at 0x1b9b8d0>, installer=<certbot.cli._Default object at 0x1b9c810>, key_path=<certbot.cli._Default object at 0x1b9bdd0>, logs_dir=<certbot.cli._Default object at 0x1b9c310>, manual=<certbot.cli._Default object at 0x1b9bb50>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x1b9b050>, manual_test_mode=<certbot.cli._Default object at 0x1b9b210>, must_staple=<certbot.cli._Default object at 0x1b96210>, nginx=<certbot.cli._Default object at 0x1b9bf50>, no_self_upgrade=<certbot.cli._Default object at 0x1b8c610>, no_verify_ssl=<certbot.cli._Default object at 0x1b8c190>, noninteractive_mode=<certbot.cli._Default object at 0x1b8ef50>, num=<certbot.cli._Default object at 0x1b9b490>, os_packages_only=<certbot.cli._Default object at 0x1b8c7d0>, post_hook=<certbot.cli._Default object at 0x1b9b090>, pre_hook=<certbot.cli._Default object at 0x1b96f50>, prepare=<certbot.cli._Default object at 0x1b9b9d0>, quiet=<certbot.cli._Default object at 0x1b8c490>, redirect=<certbot.cli._Default object at 0x1b96050>, register_unsafely_without_email=<certbot.cli._Default object at 0x1b8ea10>, reinstall=<certbot.cli._Default object at 0x1b8e410>, renew_by_default=<certbot.cli._Default object at 0x1b8e090>, renew_hook=<certbot.cli._Default object at 0x1b9b190>, rsa_key_size=<certbot.cli._Default object at 0x1b963d0>, server=<certbot.cli._Default object at 0x1b9c410>, staging=<certbot.cli._Default object at 0x1b9c510>, standalone=<certbot.cli._Default object at 0x1b9bd50>, standalone_supported_challenges=<certbot.cli._Default object at 0x1b9b750>, staple=<certbot.cli._Default object at 0x1b96c50>, strict_permissions=<certbot.cli._Default object at 0x1b96e50>, text_mode=<certbot.cli._Default object at 0x1b95110>, tls_sni_01_port=<certbot.cli._Default object at 0x1b8c050>, tos=<certbot.cli._Default object at 0x1b8cc50>, uir=<certbot.cli._Default object at 0x1b96a50>, update_registration=<certbot.cli._Default object at 0x1b8e890>, user_agent=<certbot.cli._Default object at 0x1b9b5d0>, validate_hooks=<certbot.cli._Default object at 0x1b9b290>, verb=‘renew’, verbose_count=<certbot.cli._Default object at 0x1b95290>, webroot=<certbot.cli._Default object at 0x1b9b950>, webroot_map=<certbot.cli._Default object at 0x1b9b590>, webroot_path=<certbot.cli._Default object at 0x1b9b790>, work_dir=<certbot.cli._Default object at 0x1b9c210>)
2016-10-05 23:28:15,462:INFO:certbot.renewal:Cert not yet due for renewal
2016-10-05 23:28:15,463:DEBUG:certbot.renewal:no renewal failures


#4

additional information: when I run certbot renew command at my server show below, do I believe the letsencrypt-auto script default path is:/etc/letsencrypt/renewal/mx.abc.com.conf

certbot renew


Processing /etc/letsencrypt/renewal/mx.abc.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/mx.sunontek.com/fullchain.pem (skipped)
No renewals were attempted.


#5

If your system is able to successfully run certbot renew, that would indicate you installed the certbot package through EPEL (via sudo yum install epel-release && sudo yum install certbot). The correct command for your cronjob would be certbot rather than letsencrypt-auto.

Your cronjob currently uses the certonly command to renew, you might want to look into changing that to certbot renew (this command didn’t exist in earlier client releases). You can find the documentation here.


#6

so I can just simply change my crontab to below then will be done?

10 17 * * 0 ./certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start” --email myemail@qq.com -d mx.51server.cn


#7

The renew command renews all certificates on your system (as configured by the files in /etc/letsencrypt/renewal), so you would not need to provide a -d argument, nor --email.

Oh, and it should probably be certbot renew, not ./certbot renew.


#8

10 17 * * 0 certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start” -d mx.51server.cn

so now is the correct crontab task now?


#9

No -d argument is needed, as certbot renew renews all certificates in your configuration as needed (i.e. 30 days prior to the expiration date).

You can test the command with --dry-run (exact same command + --dry-run at the end), and if that succeeds, the cronjob should succeed as well.


#10

10 17 * * 0 certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start”

I think this should be final command in my crontab task list. because I have test it looks it’s works.

certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start” --dry-run


Processing /etc/letsencrypt/renewal/mx.sunontek.com.conf

2016-10-06 05:12:52,292:ERROR:certbot.hooks:Error output from None:
Redirecting to /bin/systemctl stop nginx.service

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mx.sunontek.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
2016-10-06 05:13:00,107:ERROR:certbot.hooks:Error output from None:
Redirecting to /bin/systemctl start nginx.service

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

#11

Yep, that looks about right. :+1:


#12

Thank you so much for the help.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.