Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I schedule the Let's Encrypt certbot to automatically renew my certificate in cron?

I've seen conflicting recommendations. From the eff.org docs:

if you're setting up a cron or systemd job, we recommend running it twice per day... Please select a random minute within the hour for your renewal tasks.

I've also seen recommendations for weekly jobs.

I'm not a cron expert, so I'd prefer an answer with detailed steps for setting up the cron job.

like image 920
Chapman Atwell Avatar asked Jan 08 '17 17:01

Chapman Atwell


People also ask

Does Certbot automatically renew certificates?

Certificates created using --manual do not support automatic renewal unless combined with an authentication hook script via --manual-auth-hook to automatically set up the required HTTP and/or TXT challenges.

How do I renew my Certbot certificate manually?

How do I manually renew my certificate? The way you renew a certificate created with the manual plugin is to re-run the original command, so if you did something like certbot certonly --manual -d example.com , you would just run that command again.


3 Answers

I recently (April 2018) installed and ran certbot (version 0.22.2) on an Ubuntu 16.04 server, and a renewal cron job was created automatically in /etc/cron.d/certbot.

Here's the cron job that was created:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

Please check this before putting a new Cron job.

Update (From @Hamish Downer's comment):

It's worth being aware that the above cron job won't run certbot renew if /run/systemd/system is present - this is because instead a systemd timer is running certbot - read more about certbot and systemd timers here.

like image 123
V-Q-A NGUYEN Avatar answered Oct 22 '22 18:10

V-Q-A NGUYEN


So I settled on scheduling it to run once a day. First I tested auto-renew as the docs recommend:

sudo letsencrypt renew --dry-run --agree-tos

Then I updated the crontab:

sudo crontab -e

This is the line I added:

12 3 * * *   letsencrypt renew >> /var/log/letsencrypt/renew.log

This runs the renew everday at 3:12 am. I presume the docs recommend "a random minute within the hour" to distribute the load on the renew servers. So I suppose anything other than 0, 15, 30, or 45 is preferred.

I looked into randomizing the minute in the cron setting, like Jenkins allows you to do. On original EEF page is this Example:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew

Finally, I tested the cron command using sudo bash:

sudo bash -c "letsencrypt renew >> /var/log/letsencrypt/renew.log"
like image 36
Chapman Atwell Avatar answered Oct 22 '22 16:10

Chapman Atwell


In Debian Jessie and up (incl. Ubuntu) cron is not executed for Certbot renewal. Instead the systemd timer is used. See timer: /lib/systemd/system/certbot.timer

This timer runs the following service: /lib/systemd/system/certbot.service

Which contains:

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

In order to list all the timers, execute the following command in the terminal:

systemctl list-timers

Hopefully Certbot is part of this:

Mon 2019-02-04 08:38:45 CET 9h left Sun 2019-02-03 15:25:41 CET 8h ago certbot.timer certbot.service

UPDATE:

Due to the down votes. I'll add how to install Certbot on a Debian based distro (it may vary depending on your Linux distribution).

But within Debian Stretch for example you can install the back-port package of certbot via:

sudo apt-get install certbot -t stretch-backports

This will install the files I showed above for you automatically! And thus automatically schedule a certbot timer for you, which runs the service, which runs again the renew.

Manually running a renew is always possible via:

sudo /usr/bin/certbot renew

Can be forced via --force-renewal flag. For more info see the help text of renew:

/usr/bin/certbot --help renew

Files part of the certbot package (incl. but not limited by):

dpkg-query -L certbot
...
/lib/systemd/system/certbot.service
/lib/systemd/system/certbot.timer
...
like image 30
Melroy van den Berg Avatar answered Oct 22 '22 18:10

Melroy van den Berg