I have just installed certbot on a CentOS8 system, and just wanted to double check if automatic renewals will work. I see that /etc/crontab does contain:
And I see that /var/log/letsencrypt/ is filling up with logs, they contain mentions of “not due for renewal”. Givng $ sudo /usr/local/bin/certbot-auto renew --dry-run also says not due for renewal and congratulations for everything succeeding.
My certificate status is VALID: 85 days.
Is there a certain number of remaining days where the 12-hourly renew cron task will actually do a renewal?
The certificate is usually renewed 30 days before it expires. The renewal command runs frequently and just checks how old the certificate is, if it has more than 30 days left then it exits and runs again the next day.
If a renewal fails and the certificate gets close to expiring you should receive an email to the address you specified when setting up certbot.
Add -q (--quiet) as a Certbot argument in your cronjob and you won’t get the log noise. It will only log interesting things, such as actual renewals and failures.
The Certbot packages you can get from Linux distributions do this by default - the instructions for certbot-auto should probably be updated to include it as well.