Letsencrypt renew / cron issue

Creating a bug report/issue

Required Information

  • DietPi version | cat /boot/dietpi/.version
  • Distro version | echo $G_DISTRO_NAME $G_RASPBIAN
  • Kernel version | uname -a
    5.10.110-meson64 #22.05.1 SMP PREEMPT Sat May 28 07:50:27 UTC 2022 aarch64 GNU/Linux
  • SBC model | echo $G_HW_MODEL_NAME or (EG: RPi3)
    Odroid C4/HC4 (aarch64)
  • Power supply used | (EG: 5V 1A RAVpower)
  • SD card used | (EG: SanDisk ultra)

Additional Information (if applicable)

  • Software title | (EG: Nextcloud)
    Nextcloud, Letsencrypt
  • Was the software title installed freshly or updated/migrated?
  • Can this issue be replicated on a fresh installation of DietPi?
    I don’t know
    ← If you sent a “dietpi-bugreport”, please paste the ID here →
  • Bug report ID | echo $G_HW_UUID

Steps to reproduce

  1. Letsencrypt certificate is running out of validity
  2. Certbot runs via cron to update it

Expected behaviour

  • New Certificates get installed

Actual behaviour

  • Certbot doesn’t update the certificates

Extra details

  • I checked whether the cron daemon runs or not with the command:

sudo journalctl -u cron.service | grep certbot

  • which result was

Jun 19 00:00:01 my.domain.com CRON[1458679]: (root) CMD (test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew)
Jun 19 12:00:02 my.domain.com CRON[1496091]: (root) CMD (test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew)
Jun 20 00:00:01 my.domain.com CRON[1532602]: (root) CMD (test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew)
Jun 20 12:00:01 my.domain.com CRON[1570024]: (root) CMD (test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew)

  • if i run the following command manually, everything works fine but I want it to work automatically right

sudo certbot renew

Short question, was the certificate already expired? Or was there still some days left? That’s basically a certbot own functionality to renew a certificate only if needed.

Hey @Joulinar ,
the certificate was already expired.

The certificate if renewed via systemd timer instead of via cron job:

systemctl status certbot.timer
journalctl -u certbot

I will have to check it again and don’t fix it manually if it occurs again. the certbot runs automatically but the certificate somehow wasn’t renewed by it.

Did you tried to restart the web server before going to recreate the certificate manually? We had a case once where the certificate was correctly renewed by certbot but a web server restart was needed to have it accepted

Ah right, with Lighttpd the restart is still required.

:smile: you got me. That is my problem then. Nevertheless it is really bad for me e.g. if the cert runs out during vaca and i can’t access my privat network. I have to find a workaround then

Solved with: v8.6 · MichaIng/DietPi@70f7fa2 · GitHub

Run this:

[[ -d '/etc/letsencrypt/renewal-hooks/deploy' ]] || G_EXEC mkdir -p /etc/letsencrypt/renewal-hooks/deploy
G_EXEC eval 'echo -e '\''#!/bin/dash\nsystemctl reload lighttpd'\'' > /etc/letsencrypt/renewal-hooks/deploy/dietpi-lighttpd.sh'
G_EXEC chmod +x /etc/letsencrypt/renewal-hooks/deploy/dietpi-lighttpd.sh

Needs to be tested whether a “reload” is sufficient or a “restart” of the service required.

1 Like

I just tested it with a manuel forced renewal.
reloading lighttpd was sufficient. THanks

1 Like

Many thanks for testing!