Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

autorenew is not working #9931

Open
mbrde opened this issue Apr 16, 2024 · 6 comments
Open

autorenew is not working #9931

mbrde opened this issue Apr 16, 2024 · 6 comments

Comments

@mbrde
Copy link

mbrde commented Apr 16, 2024

Hi,

i have certbot 1.22.0 running on oracle linux 8:

certbot.noarch 1.22.0-1.el8 @ol8_developer_EPEL
python3-certbot.noarch 1.22.0-1.el8 @ol8_developer_EPEL
python3-certbot-apache.noarch 1.22.0-1.el8 @ol8_developer_EPEL

after creating the certificate with "certbot certonly --apache -d DOMAIN" it's confirmed with the message "Certbot has set up a scheduled task to automatically renew this certificate in the background." and everything works, but there is no background job running.

is there an issue in this specific release or am i missing something else? I hope the answer is not "use the snap package".
@osirisinferi
Copy link
Collaborator

but there is no background job running

What exactly do you mean by this? How/where did you check?

@mbrde
Copy link
Author

mbrde commented Apr 17, 2024

but there is no background job running

What exactly do you mean by this? How/where did you check?

nothing happened:

  • still the old certs in /etc/letsencrypt/live
  • no new entry in /var/log/letsencrypt

also i'm not sure how the task is triggered, but there is neither a cronjob nor a systemd-timer.

@osirisinferi
Copy link
Collaborator

I don't fully understand why you would see that message. It would only show if the --preconfigured-renewal option was used, which is a packager use only option (i.e., not to be used by users on the command line, but by the packager of an OS package).

If I take a look at the contents of the OL8 EPEL Certbot 1.22.0-1 RPM, I do not see such option actually being used anywhere.

That said, I also can't find that option in the Debian .deb package of which I know it does install a systemd timer.. 🤔 So maybe I'm not searching good enough.

Anyway, Certbot itself (the Python application) does not automatically insert cronjobs or systemd timers and relies on the --preconfigured-renewal option to show you that message, which is added by packagers. The recommended method of installing Certbot using snap however does install a (indirect I believe) systemd timer. For OS packages it's left to the packager of that package to add a systemd timer or cronjob.

So while I don't fully understand the OL8 EPEL package, I don't believe this is actually a Certbot issue.

@mbrde
Copy link
Author

mbrde commented Apr 21, 2024

I don't fully understand why you would see that message. It would only show if the --preconfigured-renewal option was used, which is a packager use only option (i.e., not to be used by users on the command line, but by the packager of an OS package).

Well, I see the message.

So while I don't fully understand the OL8 EPEL package, I don't believe this is actually a Certbot issue.

At least certbot shows the wrong message.

Anyway, Certbot itself (the Python application) does not automatically insert cronjobs or systemd timers and relies on the --preconfigured-renewal option to show you that message, which is added by packagers. The recommended method of installing Certbot using snap however does install a (indirect I believe) systemd timer. For OS packages it's left to the packager of that package to add a systemd timer or cronjob.

I never understood why snap is the recommended method. Does anybody really like snap?

Back to topic: For now I will set up a systemd timer or a cronjob manually in future. But maybe someone finds out what is really going wrong here. Either Oracle Linux (or RHEL) made a mistake in the EPEL Repo or I missed something...

@osirisinferi
Copy link
Collaborator

At least certbot shows the wrong message.

No, Certbot shows a message as instructed by the --preconfigured-renewal option. Of course I cannot exclude a bug with the limited information provided, but I highly doubt it. If you would have shown a log as requested by the initial questionnaire when you opened this issue (which you have deleted), we could investigate further.

But maybe someone finds out what is really going wrong here. Either Oracle Linux (or RHEL) made a mistake in the EPEL Repo or I missed something...

You might want to reach out to the OL8 EPEL packager.

@mbrde
Copy link
Author

mbrde commented Apr 21, 2024

No, Certbot shows a message as instructed by the --preconfigured-renewal option.

You are right. What I meant was that this message made me think, certbot creates the timer.

Of course I cannot exclude a bug with the limited information provided, but I highly doubt it. If you would have shown a log as requested by the initial questionnaire when you opened this issue (which you have deleted), we could investigate further.

Sorry for the few information. This issue is reproducable on a fresh OL8 with only certbot and httpd or nginx installed.
I have checked all logfiles. After creating the certificates no new entry was appended and while creating no error occoured. But I will check the logs again and provide them here soon.

While answering I had another idea: Maybe SELinux caused that the systemd-timer was not created. I'll check this also...

You might want to reach out to the OL8 EPEL packager.

That will be the next step ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@osirisinferi @mbrde