Quite frequently I’ve noticed some Certbot cronjobs not being able to renew certificates as I was receiving the Let’s Encrypt expiring notice emails. So, here are some things you could try.
- Certbot issued Let’s Encrypt certificates
Step 1. Figure out the full path of Certbot’s binary. Run the following command:
Step 2. Open the Cron table.
Step 3. Update the Certbot cronjob to look something like the following one:
0 0 * * * /usr/bin/certbot renew -q && systemctl reload nginx
Note: Make sure to use the Certbot’s binary full path. In the cron example above, I’ve used
/usr/bin/certbot, which might not be the case for everyone. It can be
/usr/local/bin/certbot too, so that’s why is important to find the absolute path first as described in Step 1.
Step 4 (Debugging). If you want to know what’s going on with the cronjob and why is it failing, just log the output to some log file. Example:
0 0 * * * /usr/bin/certbot renew -q && systemctl reload nginx > /tmp/certbot-cron.log 2>&1
2>&1: the error message (if any) is redirected to whatever the standard output is pointed at. In this case, both, the standard output and error in the same file will be written to
The following solution might work only for CentOS, Amazon Linux cloud VMs where Certbot is installed via the yum package manager. Instead of using a cronjob, use the certbot-renew.timer service.
Step 1. List any Certbot service.
systemctl list-unit-files | grep certbot
certbot-renew.service static certbot-renew.timer disabled
Step 2. Before enabling, make sure to configure the POST_HOOK value found in
/etc/sysconfig/certbot config file. For instance:
POST_HOOK="systemctl reload nginx"
Step 3. Enable the
systemctl enable certbot-renew.timer
Step 4. Start the
systemctl start certbot-renew.timer
Step 5. Verify the status.
systemctl status certbot-renew.timer
If you have any other great solutions on this topic, or even issues, feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.