Can't get crontab to auto update my ssl certificate

[NasKar]

I followed the sets in https://forums.freenas.org/index.ph...x-php-fpm-and-mysql.17786/page-62#post-341153 by @KevDog . But I'm still getting notices from lets encrypt that my ssl cert is going to expire. I thought that the crontab would run daily and renew the ssl when it's up for renewal.
my crontab

Code:

# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD: releng/10.3/etc/crontab 194170 2009-06-14 06:37:19Z brian $
#
SHELL=/bin/sh
#PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/etc:/usr/local/sbin
#
#minute hour	mday	month   wday	who	 command
#
*/5	 *	   *	   *	   *	   root	/usr/libexec/atrun
#
# Save some entropy so that /dev/random can re-seed on boot.
#*/11   *	   *	   *	   *	   operator /usr/libexec/save-entropy
#
# Rotate log files every hour, if necessary.
0	   *	   *	   *	   *	   root	newsyslog
#
# Perform daily/weekly/monthly maintenance.
1	   3	   *	   *	   *	   root	periodic daily
15	  4	   *	   *	   6	   root	periodic weekly
30	  5	   1	   *	   *	   root	periodic monthly
#
# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time.  See adjkerntz(8) for details.
1,31	0-5	 *	   *	   *	   root	adjkerntz -a

My /etc/periodic/daily/220.LetsEncrypt-SSL-Renewal file.

Code:

#!/bin/sh
/usr/local/bin/certbot renew --quiet --pre-hook "service nginx stop" --post-hook "service nginx start"

Code:

-rwxr-xr-x  1 root  wheel   114 Jun 22 22:08 220.LetsEncrypt-SSL-Renewal

 

[scrappy]

I have certbot running on my FreeBSD VPS without issue. This is how I have it configured

00 04 * * 0 /usr/local/bin/certbot renew -q --standalone --pre-hook "service nginx stop" --post-hook "service nginx start"


Maybe you need to add --standalone?

 

[Jailer]

What does the letsencrypt log say?

 

[NasKar]

When I run

/usr/local/bin/certbot renew --dry-run

I get "Congratulations, all renewals succeeded" Then I realized that I recently updated to the latest version of 9.10 and that always brakes my DDNS service and UPS service. I believe I've fixed both of them. How can I now test if my cron tab will automatically update my letsencrypt ssl? If I do a manual update
/usr/local/bin/certbot renew

I will have to wait 90 days to see if it works automatically.

 

[Jailer]

How can I now test if my cron tab will automatically update my letsencrypt ssl?

Check the log. It logs success and failures.

Where exactly are you running this crontab entry from?

 

[NasKar]

From my nextcloud jail.
Here is part of my log

Code:

2017-06-23 18:11:01,701:DEBUG:certbot.main:Root logging level set at 20
2017-06-23 18:11:01,702:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-06-23 18:11:01,702:DEBUG:certbot.main:certbot version: 0.9.3
2017-06-23 18:11:01,702:DEBUG:certbot.main:Arguments: ['--dry-run']
2017-06-23 18:11:01,703:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-06-23 18:11:01,735:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-07-12 22:15:00 UTC.
2017-06-23 18:11:01,735:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-06-23 18:11:01,748:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-06-23 18:11:01,752:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x809607b50>
Prep: True

 

[NasKar]

Bottom of the log shows

Code:

2017-06-23 18:11:07,082:DEBUG:certbot.renewal:no renewal failures

 

[Jailer]

Bottom of the log shows

Code:

2017-06-23 18:11:07,082:DEBUG:certbot.renewal:no renewal failures

And that's how you check to make sure it's working. looks like it's working fine.

 

[NasKar]

And that's how you check to make sure it's working. looks like it's working fine.

Great to know but I get that message when doing the dry run option. How do I know if the cron is working to do it without the dry run option automatically?

 

[Jailer]

Check the log after it's scheduled to run. It's located in your jail that certbot is installed in at /var/log/letsencrypt

If you had this set up as a scheduled task from the FreeNAS GUI you would get email alerts if it fails to run.

 

[NasKar]

Thanks. Last question if you don't mind. Am I doing something incorrectly that my DDNS, UPS service don't work after an update of the OS and my plugin jail has to be manually started even though it is set to autostart?

 

[Jailer]

No clue on that one, hopefully someone else will see this and assist.

 

[NasKar]

This is how I have it configured

00 04 * * 0 /usr/local/bin/certbot renew -q --standalone --pre-hook "service nginx stop" --post-hook "service nginx start"

I manually renewed to ssl cert to see if it would work and it did. After editing my script to include --standalone I ran the script and got no renewal failures in the log. I guess I'll have to wait 90 days to see it works.