Why my cert did not renew automatically even with certbot-auto renew


#1

Hi there,

I have installed my let’s encrypt on Amazon linux ami ec2 instance. I have did the sudo crontab -e as such.
0 3 * * * /usr/local/bin/certbot-auto renew
30 3 * * * service httpd restart

However, the certificate failed to renew. Can anyone help to explain why? I am not very familiar with the commands but I remember I follow some articles to do the auto renewal part.

Is there somewhere that I can find the log file of the error for renewal?

Due to this, as it expires today, I tried manually like sudo /usr/local/bin/certbot-auto renew and it works though there is some error but somehow it automatically renew successfully.

When i checked sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/learningforkeeps.com.sg/cert.pem the expiry date has changed to February next year. So it works.

Appreciate some help and explanation.


#2

What was the error you got when renewing manually?


#3

Try looking in /var/log/letsencrypt for this.


#4

Hi schoen,

I tried cd /var/log/letsencrypt but permission denied
how can I go there? Please help.


#5

You need to be root, I believe.


#6

Ya. You are right, Thanks.


#7

I did not keep the error. If I remember correctly is some connection or authentication problem… 3 times connecting … then failed then after that give the message clean up challenge or something like that… and renewal completed successfully.


#8

I just checked, it does not seems to have records on anything except on the time I did manual renewal yesterday.
Is it possible that it didn’t run at all.

Do i have to put sudo in the certbot file since I need to use sudo to do it manually?


#9

There might be a chance that running crontab with sudo doesn’t change some environment variables, so that infact you are not editing root’s crontab but instead your own. You may check that if you (as root) have a look into the directory /var/spool/cron/crontabs:

sudo ls -ls /var/spool/cron/crontabs

As an alternative, you may just add the renewal to the system’s crontab (file /etc/crontab or directory /etc/cron.d). Be sure to follow the format then:

m h dom m dow <username> <command>

#10

Thanks. I just login as root and checked this

sudo ls -ls /var/spool/cron/crontabs

but it returned

ls: cannot access /var/spool/cron/crontabs: No such file or directory

When i checked, the /etc/crontab file, it is the one I added to which is

0 3 * * * /usr/local/bin/certbot-auto renew
30 3 * * * service httpd restart

I noticed that you put

<username>

before the command, what should I put in mycase? sudo or ec2-user?

Please help. Thank you.


#11

Ah! This is wrong format, you have to put the username (root) before the command.


#12

Note that this is only for /etc/crontab and not for per-user crontabs (including root’s crontab), which don’t have a field for the user. But since you’re editing /etc/crontab, you do need to supply the field for the user.


#13

Thank you :slight_smile:


#14

Noted. Thanks for the information. :slight_smile:


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.