I've seen conflicting recommendations. From the eff.org docs:
if you're setting up a cron or systemd job, we recommend running it twice per day... Please select a random minute within the hour for your renewal tasks.
I've also seen recommendations for weekly jobs.
I'm not a cron expert, so I'd prefer an answer with detailed steps for setting up the cron job.
Certificates created using --manual do not support automatic renewal unless combined with an authentication hook script via --manual-auth-hook to automatically set up the required HTTP and/or TXT challenges.
How do I manually renew my certificate? The way you renew a certificate created with the manual plugin is to re-run the original command, so if you did something like certbot certonly --manual -d example.com , you would just run that command again.
I recently (April 2018) installed and ran certbot (version 0.22.2) on an Ubuntu 16.04 server, and a renewal cron job was created automatically in /etc/cron.d/certbot.
Here's the cron job that was created:
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
Please check this before putting a new Cron job.
Update (From @Hamish Downer's comment):
It's worth being aware that the above cron job won't run certbot renew if /run/systemd/system is present - this is because instead a systemd timer is running certbot - read more about certbot and systemd timers here.
So I settled on scheduling it to run once a day. First I tested auto-renew as the docs recommend:
sudo letsencrypt renew --dry-run --agree-tos
Then I updated the crontab:
sudo crontab -e
This is the line I added:
12 3 * * * letsencrypt renew >> /var/log/letsencrypt/renew.log
This runs the renew everday at 3:12 am. I presume the docs recommend "a random minute within the hour" to distribute the load on the renew servers. So I suppose anything other than 0, 15, 30, or 45 is preferred.
I looked into randomizing the minute in the cron setting, like Jenkins allows you to do. On original EEF page is this Example:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew
Finally, I tested the cron command using sudo bash:
sudo bash -c "letsencrypt renew >> /var/log/letsencrypt/renew.log"
In Debian Jessie and up (incl. Ubuntu) cron is not executed for Certbot renewal.
Instead the systemd timer is used. See timer: /lib/systemd/system/certbot.timer
This timer runs the following service: /lib/systemd/system/certbot.service
Which contains:
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
In order to list all the timers, execute the following command in the terminal:
systemctl list-timers
Hopefully Certbot is part of this:
Mon 2019-02-04 08:38:45 CET 9h left Sun 2019-02-03 15:25:41 CET 8h ago certbot.timer certbot.service
UPDATE:
Due to the down votes. I'll add how to install Certbot on a Debian based distro (it may vary depending on your Linux distribution).
But within Debian Stretch for example you can install the back-port package of certbot
via:
sudo apt-get install certbot -t stretch-backports
This will install the files I showed above for you automatically! And thus automatically schedule a certbot timer for you, which runs the service, which runs again the renew.
Manually running a renew is always possible via:
sudo /usr/bin/certbot renew
Can be forced via --force-renewal
flag. For more info see the help text of renew:
/usr/bin/certbot --help renew
Files part of the certbot package (incl. but not limited by):
dpkg-query -L certbot
...
/lib/systemd/system/certbot.service
/lib/systemd/system/certbot.timer
...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With