LetsEncrypt auto renew is not working via crontab, but works manually

Keywords: WordPress + NGINX + SSL - AWS - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: d3b3cc21-297b-3782-2919-dc56c0c468cb
Description:
I have followed this guide to a T and auto renew is refusing to work via crontab:
https://docs.bitnami.com/general/apps/gitlab/administration/generate-configure-certificate-letsencrypt/

When ran manually, it works like a charm. When running the crontab command in terminal, it works as well:
/opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

I am on AWS E2 instance running WordPress with NGINX and SSL Certified by Bitnami and Automattic-5-5-1-1 on Debian 10 AMI. Please help!

Hello @stas1,

Thanks for using our WP solution! Looking into your crontab configuration, it seems the corn was set up just fine:

-----------------------------------
Crontab content for root user:
-----------------------------------
Running: crontab -l
In: /opt/bitnami

Output:

0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

That cron will execute renew-certificate.sh the first of every month and renew your certificate, has the cron been running before the first of this month?

Regards,
Francisco de Paz

I have the same issue and would like to get a resolution from Bitnami support team.

Thank you for quick response. You are right, crontab had been setup per instructions, but it is not executing. When running the command in terminal manually, it works without a hitch. Cron is not executing. In my previous testing, it might have been chocking up on 2> /dev/null part.

Hello @martinmuli, @stas1,

The part 2> /dev/null is to avoid showing any command’s output, but it shouldn’t be causing any errors. Could you try creating a cron to be run shortly (every hour) and save the output to a file? You can do something like:

sudo vim /opt/bitnami/cron_output.log
sudo chmod 777 /opt/bitnami/cron_output.log

And add the following cron:

0 * * * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh &>> /opt/bitnami/cron_output.log

Let the cron run at least once and share the logs in the created file here.

Could you please tell me if you are also using a WP+NGINX+SSL instance @martinmuli?

Regards,
Francisco de Paz

Tried what you suggested and even though the cron_output.log is untouched with original timestamp and empty, I was able to try a few things with an hourly cron. In fact, I explicitly reloaded cron configuration like so:

$ sudo service cron reload
[ ok ] Reloading configuration files for periodic command scheduler: cron.

This seems to have done the trick and I confirmed that SSL certs were refreshed hourly.
Reverted to original cron command with an hour cadence and will see if changes stick.

Hello @stas1,

Thanks for sharing your findings! Let’s see if this solves the SSL renewal cron and in that case we’ll update our documentation.

Regards,
Francisco de Paz

Actually, I take my last comments back. Still not seeing auto updates running, the cron_output.log is not being touched and written to. Cron is not running. Back at square 1.

0 * * * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh &>> /opt/bitnami/cron_output.log

Hello @stas1,

I have started a WP instance and configured an hourly cron for the SSL certificate and it seems to working. I followed the instructions detailed in our documentation, could you please retry your configuration as follows:

  • Stop services and generate cert:
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="example@email.com" --domains="domain.es" --domains="www.domain.es" --path="/opt/bitnami/letsencrypt" run
  • Move mock cert to backup and create symlinks for the newly created:
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.csr /opt/bitnami/nginx/conf/bitnami/certs/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/domain.es.key /opt/bitnami/nginx/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/domain.es.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt
  • Configure certs permissions:
sudo chown root:root /opt/bitnami/nginx/conf/bitnami/certs/server*
sudo chmod 600 /opt/bitnami/nginx/conf/bitnami/certs/server*
  • Start services and create renewal script
sudo /opt/bitnami/ctlscript.sh start
sudo mkdir -p /opt/bitnami/letsencrypt/scripts
sudo vim sudo mkdir -p /opt/bitnami/letsencrypt/scripts
sudo vim /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
  • The contents for renew-certificate.sh should be:
  #!/bin/bash
  sudo /opt/bitnami/ctlscript.sh stop nginx
  sudo /opt/bitnami/letsencrypt/lego --tls --email="example@email.com" --domains="domain.es" --domains="www.domain.es" --path="/opt/bitnami/letsencrypt" renew --days 90
  sudo /opt/bitnami/ctlscript.sh start nginx
  • Configure script permissions and add create the cron
sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
sudo crontab -e
  • The cron definition should be:
1 * * * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

With these steps the certificate will be regenerated every hour.

Regards,
Francisco de Paz

@fdepaz I followed the guide steps as stated and still not able to get the cron to run.

Here is the reference doc:
https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

I am using Approach B (Self-contained Bitnami installations).

Hello @stas1,

I’m not able to reproduce the issue. I suggest you to update lego, as that seems to be the only difference between our testing environments. Please check the share guide for the steps on how to update lego.

Regards,
Francisco de Paz

@fdepaz unfortunately, i cannot seem to get cron to execute. followed the guide exactly, manually running the script works without any issues, but cron is not executing no matter what i try.

Hello @stas1,

Let’s try a couple of things. Could you share the output of the following command so we can double-check the renewal script’s permissions:

# Change directory if the script is not in the used one
ls -la /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

Also, try removing all the current crons regarding the renewal and restarting the instance after that. To remove the crons, check both these crontabs:

sudo crontab -e
sudo crontab -e -u bitnami

After that, add again the cron to the following crontab:

sudo crontab -e

Regards,
Francisco de Paz

bitnami@ip-172-31-94-18:~$ ls -la /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
-rwxr-xr-x 1 root root 256 Oct 28  2020 /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

Cleared cron jobs. Under “bitnami” user, there were no entries when checked. Re-added cron and going to see if these will run.

@fdepaz i did some more digging and i notice that cron will only run once when the changes are made

Hello @stas1,

I’m not sure I understood you, could you detail your testing and the obtained results? I have checked that your domain has an SSL certificate with today’s timestamp, though I’m not sure if it is a product of the cron.

Regards,
Francisco de Paz

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.