Why won't certbot-auto renew the certificates expiring in less than 2 weeks?


#1

dry-run works flawlessly

./certbot-auto renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.domain.com.conf

Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.domain.com
tls-sni-01 challenge for sub1.domain.com
tls-sni-01 challenge for domain.com
tls-sni-01 challenge for sub2.domain.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0009_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

The cron log says it’s running just fine… but it doesn’t upgrade the certificates. I want this cron’d so I don’t have to run it manually every time they are about to expire.

Dec 14 21:59:01 CRON[4805]: (root) CMD (/usr/sbin/certbot-auto renew --quiet --no-self-upgrade )

Why can’t you issue these certificates for a normal amount of time instead of just 3 months… That would save a lot of trouble.

My certs expire dec 26, isn’t this command supposed to update them automatically?


#2

Have you got your cron set up to email you the output ? if so, what ouput does the command give ?

If you run the command yourself ( /usr/sbin/certbot-auto renew --no-self-upgrade ) does it renew OK ? if so, then it’s probably your PATH being different in the cron.


#3

No idea how to do the mail. Path is definitely not different or wrong.

If I run certbot-auto renew --new-self-upgrade from the command line and it works I won’t be able to know if cron is going to work until 3 months from now which is what I’m trying to avoid. I’m trying to resolve this once and for all so it will just run on its own.


#4

By PATH I mean the environment PATH variable, not the path to the command “/usr/sbin/”. I’d be surprised if the PATH variable was exactly the same. You can see what it is interactively by running

echo $PATH


#5

What does the path have to do with it if I have the full path directly to the file in my crontab and when I run it from the command line? I can see from the syslog that it’s executing anyway.

Here is my $PATH if it matters…

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games


#6

The PATH is important because it shows where the program should look for other applications / scripts it needs - which would fail if it can’t find them.

The question is what is your PATH in the cron - you could echo $PATH in a cron - and place it in a file - then you can see what the difference is. Alternatively you could modify the PATH variable in your current cron ( ignoring the “games” ones, as they are not likely to be needed.


#7

OK…

root $PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

cron $PATH = /usr/bin:/bin

So I guess I have to modify it, but how?


#8

You can just define the path in the cron statement

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"; /usr/sbin/certbot-auto renew --quiet --no-self-upgrade


#9

OK, now I got this:

Dec 14 22:43:01 CRON[2057]: (root) CMD (PAHT="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"; /usr/sbin/certbot-auto renew --quiet --no-self-upgrade )

And that was the problem. They finally updated.

Thanks.


#10

You’re welcome - glad it’s all solved :slight_smile:


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.