Cron Job for Certbot in a Jail

[dambrosioj]

I hope someone can help me, I am pretty new to setting up cron jobs. I setup nginx/cerbot/letsencrypt in a jail and its working great. The problem is I am trying to run a cronjob to get the cert to autorenew every 90days (or check every 30 days). I can run it fine inside jail but when trying to do it as a crontab -e it doesnt work. I also tried doing it from the gui.

I wanted to use this command:

Code:

*/30 * * * * service nginx stop && /certbot/certbot-auto renew && service nginx start >> /var/log/le-renew.log

Could anyone point me in the right direction

 

[danb35]

Well, the crontab entry you posted would run your command every 30 minutes, every hour, every day, every month, and every day of the week. That's certainly not what you want, especially since it will take down your web server. A better plan would be:

Code:

 7 22 * * * /certbot/certbot-auto renew && service nginx reload >> /var/log/le-renew.log

This runs certbot daily at 10:07 PM (a semi-randomly chosen time at night, when the server presumably won't be too busy). It will check your existing cert, and if has less than 30 days before expiration, it will renew it. As long as you used the webroot plugin to get your cert, you don't need to stop nginx.

 

[dambrosioj]

Well, the crontab entry you posted would run your command every 30 minutes, every hour, every day, every month, and every day of the week. That's certainly not what you want, especially since it will take down your web server. A better plan would be:

Code:

 7 22 * * * /certbot/certbot-auto && service nginx reload >> /var/log/le-renew.log

This runs certbot daily at 10:07 PM (a semi-randomly chosen time at night, when the server presumably won't be too busy). It will check your existing cert, and if has less than 30 days before expiration, it will renew it. As long as you used the webroot plugin to get your cert, you don't need to stop nginx.

Are you putting that in the gui interface or just crontab -e?

 

[danb35]

That would be what you'd enter in crontab -e in the jail. You could probably do it through the FreeNAS web GUI, but you'd need to account for the jail, so the command would look something like jexec # '/certbot/certbot-auto renew && service nginx reload >> /var/log/le-renew.log'. Note that I'm not sure how the && works with jexec; you might need to mess with that a bit.

Also note that I goofed on my example cronjob; I left out the "renew" command. I'll edit the post to correct it.

If that cronjob doesn't work, what happens?

 

[dambrosioj]

That would be what you'd enter in crontab -e in the jail. You could probably do it through the FreeNAS web GUI, but you'd need to account for the jail, so the command would look something like jexec # '/certbot/certbot-auto renew && service nginx reload >> /var/log/le-renew.log'. Note that I'm not sure how the && works with jexec; you might need to mess with that a bit.

Also note that I goofed on my example cronjob; I left out the "renew" command. I'll edit the post to correct it.

If that cronjob doesn't work, what happens?

Not really sure from what I can see its doing nothing since its not creating the log in var/log for me to see. Does the crontab create a log somewhere i can see?

 

[danb35]

I think I see the problem. Your redirect is on the nginx reload, not on the certbot command. Try this as the command instead:

Code:

/certbot/certbot-auto renew >> /var/log/le-renew.log 2>&1 && service nginx reload

There are two major differences here. First, the output of the certbot-auto command is sent to the log, rather than the output of the nginx reload. Second, it also sends STDERR to that log file. Between those two changes, you should at least see something in the log.

 

[dambrosioj]

I think I see the problem. Your redirect is on the nginx reload, not on the certbot command. Try this as the command instead:

Code:

/certbot/certbot-auto renew >> /var/log/le-renew.log 2>&1 && service nginx reload

There are two major differences here. First, the output of the certbot-auto command is sent to the log, rather than the output of the nginx reload. Second, it also sends STDERR to that log file. Between those two changes, you should at least see something in the log.

So that got me a bit farther I get this error now:
"Cannot find any Pythons; please install one!"

Strange because doesnt python install as a pre-req for nginx and certbot?

 

[Jailer]

That would be what you'd enter in crontab -e in the jail. You could probably do it through the FreeNAS web GUI, but you'd need to account for the jail, so the command would look something like jexec # '/certbot/certbot-auto renew && service nginx reload >> /var/log/le-renew.log'. Note that I'm not sure how the && works with jexec; you might need to mess with that a bit.

I wouldn't use a JID in your cron job as that can change with a reboot. Use the jails hostname instead.

 

[dambrosioj]

I wouldn't use a JID in your cron job as that can change with a reboot. Use the jails hostname instead.

Im not I am using:

Code:

/certbot/certbot-auto renew >> /var/log/le-renew.log 2>&1 && service nginx reload

 

[Jailer]

Im not I am using:

Code:

/certbot/certbot-auto renew >> /var/log/le-renew.log 2>&1 && service nginx reload

I was referring to @danb35 post on setting up a cron job in the GUI.

 

[dambrosioj]

I was referring to @danb35 post on setting up a cron job in the GUI.

Ahh OK my bad

 

[dambrosioj]

I think I see the problem. Your redirect is on the nginx reload, not on the certbot command. Try this as the command instead:

Code:

/certbot/certbot-auto renew >> /var/log/le-renew.log 2>&1 && service nginx reload

There are two major differences here. First, the output of the certbot-auto command is sent to the log, rather than the output of the nginx reload. Second, it also sends STDERR to that log file. Between those two changes, you should at least see something in the log.

So that got me a bit farther I get this error now:
"Cannot find any Pythons; please install one!"

Strange because doesnt python install as a pre-req for nginx and certbot?

 

[danb35]

Let's back up a bit. Why are you using certbot-auto? The certbot-auto script is intended for OSs that don't have a prepackaged version of certbot available, which FreeBSD does. You might be better off to do pkg install py27-certbot and then run commands using certbot rather than certbot-auto. The package should take care of any dependencies. You could then try certbot renew --dry-run and see what happens.

As a second point, certbot strikes me as being much more "heavy" than is necessary in most cases, with lots of dependencies and such. I've been using the script formerly known as letsencrypt.sh, and now called dehydrated, to get Let's Encrypt certs for my hosts. I've found it to work well, and it has very few dependencies (IIRC, only curl and openssl). It does not make any changes to your webserver configuration the way certbot can, but you shouldn't need to do that on an ongoing basis anyway. Another popular alternative client is acme.sh.

 

[dambrosioj]

Let's back up a bit. Why are you using certbot-auto? The certbot-auto script is intended for OSs that don't have a prepackaged version of certbot available, which FreeBSD does. You might be better off to do pkg install py27-certbot and then run commands using certbot rather than certbot-auto. The package should take care of any dependencies. You could then try certbot renew --dry-run and see what happens.

As a second point, certbot strikes me as being much more "heavy" than is necessary in most cases, with lots of dependencies and such. I've been using the script formerly known as letsencrypt.sh, and now called dehydrated, to get Let's Encrypt certs for my hosts. I've found it to work well, and it has very few dependencies (IIRC, only curl and openssl). It does not make any changes to your webserver configuration the way certbot can, but you shouldn't need to do that on an ongoing basis anyway. Another popular alternative client is acme.sh.

Thanks!!
I used acme.sh and all is good now.

 

[danb35]

Great! I'm not too familiar with its specifics, but it should have a renewal mode that works similarly to certbot's and dehydrated's, in that it checks your existing cert and only kicks off the renewal if that cert has less than n days remaining (with dehydrated, n is configurable but defaults to 30). Set up a cron job to run that daily followed by service nginx reload, and you should be good.

 

[adrianwi]

I stumbled across this as I was looking to add a cron job to renew my Letsencrypt certificates.

I've tried running

Code:

45 23 * * * certbot renew >> /var/log/le-renew.log 2>&1 && service nginx reload

outside crontab but it gives me an error - Ambiguous output redirect

I wasn't sure what the '2>&1' bit was doing, so removed this and it seems to run OK and adds some stuff to the log file. It would be useful to have the date and time it ran though, so any idea how to add that to the command? And what is the '2>&1' supposed to do?

Thanks for the thread though :D

 

[Jailer]

I do mine a bit differently. I have a cron task set up in the GUI that calls a script for the renewal twice per day.

jexec proxy1 csh /renew.sh

My renew script is pretty simple. The script is in the root of my proxy jail.

Code:

#!/bin/sh
/usr/local/bin/certbot renew --post-hook "service nginx restart" --quiet

One thing I do like about doing it this way is when a cert is renewed it restarts nginx. The restart config test triggers an error to /dev/null and I get an email alert. It's not really an error but it does let me know that everything is working. It might not be as elgent a solution as others have come up with but it's been working for me for over a year now without issue.

 

[adrianwi]

Completely new to this script stuff, so hoping someone might be able to spot my mistake. I thought it would be the easiest way to add a date to the log file, and the cron job is running as it's adding the date, but not the certbot renewal stuff.

Code:

#!/bin/sh																	   
today=$(date +%Y-%b-%d)														 
echo $today >> /var/log/le-renew.log										   
certbot renew >> /var/log/le-renew.log										 
service nginx reload 

I have a crontab 45 23 * * * /le-renew.sh

If I run ./le-renew.sh it works correctly and puts the date and then the certbot renewal info.

Thanks!

 

[adrianwi]

Anyone?

I've tried this a number of different ways, but all I ever get in the log file when the script runs from crontab is the date. If I run ./le-renew.sh it adds the date and the output from certbot too, which is what I'm trying to achieve.

UPDATE - actually, ignore that! I've just tried a different approach running it as a task - jexec ssl_proxy sh /le-renew.sh - in the FreeNAS GUI and that seems to work, so hopefully, when I check tomorrow it will have updated at 23:50 and added to the log file

 

[ovizii]

I do mine a bit differently. I have a cron task set up in the GUI that calls a script for the renewal twice per day.

jexec proxy1 csh /renew.sh

My renew script is pretty simple. The script is in the root of my proxy jail.

Code:

#!/bin/sh
/usr/local/bin/certbot renew --post-hook "service nginx restart" --quiet

One thing I do like about doing it this way is when a cert is renewed it restarts nginx. The restart config test triggers an error to /dev/null and I get an email alert. It's not really an error but it does let me know that everything is working. It might not be as elgent a solution as others have come up with but it's been working for me for over a year now without issue.

Could this also work from within the jail? i.e. by using crontab -e then insert a line like:

Code:

0 7 * * * /usr/local/bin/certbot renew --post-hook "service nginx restart" --quiet

The reason I am asking is because I am struggling getting cronjobs to run within jails so if you can confirm that this should work, I'll open a separate thread with my detailed issue.