This is quite frustrating. I followed the instructions to make sure the cron job would run before the certificate ran out, so I didn’t do anything when I started to get emails from LetsEncrypt warning of expiry. Now I can’t renew.
I tried renaming the old cert dir and running the letsencrypt script again, but it keeps failing while checking the acme-challenge.
I don’t want to blow the VM away and start all over again. The box was stable and running flawlessly. (well except the renewal bit).
Can anyone assist? I’m running the VM, all updates are done. The firewall is pointing both port 80/443 to the internal address of the Nextcloud VM. (SNAT)
If you manually run certbot setup again, does it work?
Thank you for pointing me in the right direction. I can’t remember the link I used to delete the old certificate, but after searching for manually running certbot I came across these instructions: https://certbot.eff.org/lets-encrypt/ubuntubionic-apache. This sequence ran properly, and I can now get on the site again.
I guess the second part now is - do I just run a certbot renewal command when I get the notification that my certificate will be expiring, or is there some way to ensure it automatically renews before the expiry date?
You can just create a cron job to monthly run
The certbot docs actually suggest running the cron job twice a day, rather than monthly. The first thing it does is check whether the cert will expire within 30 days and if not it just exits, so there’s no harm in running it that frequently.
Running it this often means that if you do get the about-to-expire emails (which I believe start coming at around 20 days from expiry) then you probably have something to worry about/attend to.
But why not just a daily run? Twice a days seems to be too much in my eyes.
However, this is totally up to you and what you feel comfortable with
It was just one of many options I provided
This is currently in my /etc/cron.d/certbot file:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
However, when I nano this file it says it’s unwritable.
If I run sudo crontab -e I see:
So, I’m not really sure where I should be putting the command. I do remember there was a cron job when initially setting up the VM, so I don’t know whether or not it just didn’t run, or if this is a new cron.d/certbot file that wasn’t there before.
For the split second it takes certbot to check the expiration date on the certificate, I wouldn’t sweat it even if it checked every five minutes, as long as the process is working.
Did you sudo nano?
No, I didn’t. Good catch. (I’m a Windows server guy lol).
I don’t really know why they suggest every 12 hours; daily seems adequate to me too. But I also agree with KarlF12 that the cost is negligible.
The VM should handle the auto renewal of certs, but could fail due to Certbot changes the way certificates are handled. It happened once before to my knowledge, and the “fix” back then was to run
certbot renew manually and then just let the update script take care of the rest.
When the certs are generated in the VM, a seperate script is created and put into a cronjob which runs everyday. You can find it here: