Letsencrypt renew / cron issue

Rednox · 20 June 2022 20:02

Creating a bug report/issue

Required Information

DietPi version | cat /boot/dietpi/.version
G_DIETPI_VERSION_CORE=8
G_DIETPI_VERSION_SUB=5
G_DIETPI_VERSION_RC=1
G_GITBRANCH=‘master’
G_GITOWNER=‘MichaIng’
Distro version | echo $G_DISTRO_NAME $G_RASPBIAN
bullseye
Kernel version | uname -a
5.10.110-meson64 #22.05.1 SMP PREEMPT Sat May 28 07:50:27 UTC 2022 aarch64 GNU/Linux
SBC model | echo $G_HW_MODEL_NAME or (EG: RPi3)
Odroid C4/HC4 (aarch64)
Power supply used | (EG: 5V 1A RAVpower)
SD card used | (EG: SanDisk ultra)

Additional Information (if applicable)

Software title | (EG: Nextcloud)
Nextcloud, Letsencrypt
Was the software title installed freshly or updated/migrated?
No
Can this issue be replicated on a fresh installation of DietPi?
I don’t know
← If you sent a “dietpi-bugreport”, please paste the ID here →
Bug report ID | echo $G_HW_UUID
e913f5ea-44de-4789-a438-5fa0c3af6af0

Steps to reproduce

Letsencrypt certificate is running out of validity
Certbot runs via cron to update it

Expected behaviour

New Certificates get installed

Actual behaviour

Certbot doesn’t update the certificates

Extra details

I checked whether the cron daemon runs or not with the command:

sudo journalctl -u cron.service | grep certbot

which result was

Jun 19 00:00:01 my.domain.com CRON[1458679]: (root) CMD (test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew)
Jun 19 12:00:02 my.domain.com CRON[1496091]: (root) CMD (test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew)
Jun 20 00:00:01 my.domain.com CRON[1532602]: (root) CMD (test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew)
Jun 20 12:00:01 my.domain.com CRON[1570024]: (root) CMD (test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew)

if i run the following command manually, everything works fine but I want it to work automatically right

sudo certbot renew

Joulinar · 21 June 2022 12:15

Short question, was the certificate already expired? Or was there still some days left? That’s basically a certbot own functionality to renew a certificate only if needed.

Rednox · 23 June 2022 21:54

Hey @Joulinar ,
the certificate was already expired.

MichaIng · 24 June 2022 18:42

The certificate if renewed via systemd timer instead of via cron job:

systemctl status certbot.timer
journalctl -u certbot

Rednox · 25 June 2022 13:54

I will have to check it again and don’t fix it manually if it occurs again. the certbot runs automatically but the certificate somehow wasn’t renewed by it.

Joulinar · 25 June 2022 14:23

Did you tried to restart the web server before going to recreate the certificate manually? We had a case once where the certificate was correctly renewed by certbot but a web server restart was needed to have it accepted

MichaIng · 25 June 2022 14:54

Ah right, with Lighttpd the restart is still required.

Rednox · 25 June 2022 14:57

you got me. That is my problem then. Nevertheless it is really bad for me e.g. if the cert runs out during vaca and i can’t access my privat network. I have to find a workaround then

MichaIng · 25 June 2022 15:13

Solved with: v8.6 · MichaIng/DietPi@70f7fa2 · GitHub

Run this:

[[ -d '/etc/letsencrypt/renewal-hooks/deploy' ]] || G_EXEC mkdir -p /etc/letsencrypt/renewal-hooks/deploy
G_EXEC eval 'echo -e '\''#!/bin/dash\nsystemctl reload lighttpd'\'' > /etc/letsencrypt/renewal-hooks/deploy/dietpi-lighttpd.sh'
G_EXEC chmod +x /etc/letsencrypt/renewal-hooks/deploy/dietpi-lighttpd.sh

Needs to be tested whether a “reload” is sufficient or a “restart” of the service required.

Rednox · 25 June 2022 18:02

@MichaIng
I just tested it with a manuel forced renewal.
reloading lighttpd was sufficient. THanks

MichaIng · 25 June 2022 19:32

Many thanks for testing!