Why renew works every day?

Hello.

When I saw /var/log/letsencrypt/letsencrypt.log, I found renewal works every day as follows…

$ grep ‘Cert not yet due for renewal’ /var/log/letsencrypt/letsencrypt.log*
/var/log/letsencrypt/letsencrypt.log:2017-11-23 12:49:33,796:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log:2017-11-23 12:49:33,801:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log:2017-11-23 12:49:33,807:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log:2017-11-23 12:49:33,821:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.1:2017-11-23 00:52:40,774:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.1:2017-11-23 00:52:40,788:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.1:2017-11-23 00:52:40,814:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.1:2017-11-23 00:52:40,840:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.2:2017-11-22 12:27:34,731:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.2:2017-11-22 12:27:34,738:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.2:2017-11-22 12:27:34,765:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.2:2017-11-22 12:27:34,792:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.3:2017-11-22 00:16:10,575:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.3:2017-11-22 00:16:10,591:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.3:2017-11-22 00:16:10,615:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.3:2017-11-22 00:16:10,639:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.4:2017-11-21 12:58:46,567:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.4:2017-11-21 12:58:46,574:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.4:2017-11-21 12:58:46,581:INFO:certbot.renewal:Cert not yet due for renewal
/var/log/letsencrypt/letsencrypt.log.4:2017-11-21 12:58:46,587:INFO:certbot.renewal:Cert not yet due for renewal

For now, I only set cron to renew just once per month as follows.

$ cat /etc/crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
#37 * * * * root cd / && run-parts --report /etc/cron.hourly
10 1 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
33 1 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
47 3 10 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
0 0 8 * * root /bin/bash /usr/sbin/letsencrypt_auto-update.sh >>/var/log/letsencrypt/letsencrypt_update.log 2>&1

Why renew works every day?

OS: Ubuntu 16.04.3 LTS and Debian GNU/Linux 8

Thank you.

I guess it’s not the only Let’s Encrypt renewal cronjob you have. Maybe there is one in /etc/cron.d directory?

On the other hand, I wouldn’t recommend triggering renewal check once a month. If cronjob fails to obtain certificate for any reason (for example, maintenance at Let’s Encrypt or brief network disruption), next attempt would be triggered after a month (and it may fail again, if you are unlucky).

Note that logfile says Cert not yet due for renewal - certbot (by default) renews only certificates which expire in a month. If certificates are valid for a longer time, certbot simply exits, doing nothing (so there is no harm triggering it twice a day).

Most probably there is a systemd-timer for certbot active - you don’t need the cronjob in this case. Like @mkwm already mentions, this is desired behaviour.

Thank you for nice advice, @mkwm. I forgot the case of cron failure.
And , as @bytecamp said, looks like systemd timer for certbot is active.

# ls -l /etc/systemd/system/timers.target.wants/certbot.timer
lrwxrwxrwx 1 root root 33 Nov 12 13:30 /etc/systemd/system/timers.target.wants/certbot.timer -> /lib/systemd/system/certbot.timer
# sudo journalctl -u certbot.service
– Logs begin at Tue 2017-11-14 16:10:46 UTC, end at Thu 2017-11-23 16:41:03 UTC
Nov 15 00:00:00 mydomain.com systemd[1]: Starting Certbot…
Nov 15 00:44:36 mydomain.com systemd[1]: Started Certbot.
Nov 15 12:00:01 mydomain.com systemd[1]: Starting Certbot…
Nov 15 12:54:11 mydomain.com systemd[1]: Started Certbot.
Nov 16 00:00:01 mydomain.com systemd[1]: Starting Certbot…
Nov 16 00:03:46 mydomain.com systemd[1]: Started Certbot.
Nov 16 12:00:01 mydomain.com systemd[1]: Starting Certbot…
Nov 16 12:54:09 mydomain.com systemd[1]: Started Certbot.
Nov 17 00:00:01 mydomain.com systemd[1]: Starting Certbot…
Nov 17 00:23:25 mydomain.com systemd[1]: Started Certbot.
Nov 17 12:00:02 mydomain.com systemd[1]: Starting Certbot…
Nov 17 12:10:28 mydomain.com systemd[1]: Started Certbot.

Debian and Ubuntu do not need cron for certbot?
Anyway I will be able to delete cron for certificate renewal.
Thank you for the help.

The current certbot Ubuntu PPA install inserts both a systemd timer, and a cron entry in /etc/cron.d(at least for those versions of Ubuntu which have systemd), but the cron entry is set up to do nothing if systemd is active (it looks for the directory /run/systemd/system and doesn’t run certbot renew if the directory is there).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.