certbot,

Debugging Certbot cronjob

Feb 12, 2023 · 2 mins read · Post a comment

Quite frequently I’ve noticed some Certbot cronjobs not being able to renew certificates as I was receiving the Let’s Encrypt expiring notice emails. So, here are some things you could try.

Prerequisites

  • Certbot issued Let’s Encrypt certificates

Solution(s)

cronjob

Step 1. Figure out the full path of Certbot’s binary. Run the following command:

which certbot

Example output:

/usr/bin/certbot

Step 2. Open the Cron table.

crontab -e

Step 3. Update the Certbot cronjob to look something like the following one:

0 0 * * * /usr/bin/certbot renew -q && systemctl reload nginx

Note: Make sure to use the Certbot’s binary full path. In the cron example above, I’ve used /usr/bin/certbot, which might not be the case for everyone. It can be /usr/local/bin/certbot too, so that’s why is important to find the absolute path first as described in Step 1.

Step 4 (Debugging). If you want to know what’s going on with the cronjob and why is it failing, just log the output to some log file. Example:

0 0 * * * /usr/bin/certbot renew -q && systemctl reload nginx > /tmp/certbot-cron.log 2>&1
  • 2>&1: the error message (if any) is redirected to whatever the standard output is pointed at. In this case, both, the standard output and error in the same file will be written to /tmp/cerbot-cron.log.

certbot-renew.timer

The following solution might work only for CentOS, Amazon Linux cloud VMs where Certbot is installed via the yum package manager. Instead of using a cronjob, use the certbot-renew.timer service.

Step 1. List any Certbot service.

systemctl list-unit-files | grep certbot

Example output:

certbot-renew.service       static
certbot-renew.timer         disabled

Step 2. Before enabling, make sure to configure the POST_HOOK value found in /etc/sysconfig/certbot config file. For instance:

POST_HOOK="systemctl reload nginx"

Step 3. Enable the certbot-renew.timer service.

systemctl enable certbot-renew.timer

Step 4. Start the certbot-renew.timer service.

systemctl start certbot-renew.timer

Step 5. Verify the status.

systemctl status certbot-renew.timer

Conclusion

If you have any other great solutions on this topic, or even issues, feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.