I got email notifications that my Let’s Encrypt/certbot certificates were expiring, and these should auto-renew. I had explored certbot a bit ago to organize it more, but did not look into all aspects
I looked into it a bit more and saw that everything with certbot was getting errors. First there was a misconfiguration due to referencing an old certificate path name.
Then lots of the other commands would fail.
I looked at the versions and my certbot version was out of date.
Using the ubuntu instructions I upgraded https://certbot.eff.org/docs/install.html
sudo apt-get install certbot sudo apt-get install python-certbot-apache
After that, it seems it may have worked.
I did a test with
certbot renew --dry-run
which was the command that failed earlier, and that worked. So now running it, without the --dry-run.
Testing a before and after on a particular domain certificate, here is what one site said:
what it looks like when it works:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/jeremykeeshin.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jeremykeeshin.com
http-01 challenge for www.jeremykeeshin.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/jeremykeeshin.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
And after the update, now it is 90 days out again.
New certbot version
# certbot --version
certbot 0.31.0
Now the question is where is the logic that is renewing the certs. It could be two places, in the crontab, or in systemd.timer.
Looking at /etc/cron.d/certbot, it has
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renewLooking at timers
# systemctl list-timers certbot.timer
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2020-12-13 13:26:12 UTC 9h left Sun 2020-12-13 03:32:07 UTC 18min ago certbot.timer certbot.serviceIt looks like that is what is running. So I haven’t figured out exactly what is going on, but enough to renew the certificates and probably keep it working like normal.
Reference links