Auto SSL Let's Encrypt

Checklist
[x ] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hello everyone.
Two weeks ago I installed Passbolt 8.2.19 on Debian 12 following the official guide: Install Passbolt on Debian 12 (Bookworm) | Passbolt documentation.
I haven’t had any problems and the system works flawlessly.
I configured the installation with NginX with HTTPS Auto using Let’s Encrypt.
Since I don’t see certbot scheduled tasks in crontab -l for my users, I’m wondering if I will have to manually renew Let’s Encrypt certificates before they expire.
Could you please tell me if this is the case or if they will automatically renew themselves? Or if I have to renew them manually?
Thank you very much for your help.

Gabriel

Hello @neok7 , welcome to the community! :rocket:

Indeed, it should auto renew, the server relies on certbot package in order to manage the renewal of certificates. FYI certificates are usually renewed one month before the expiration date.

However, you have to ensure that port 80 remain open since it needs that port to be opened in order for LetsEncrypt to proceeed.

Since I don’t see certbot scheduled tasks in crontab -l for my users, I’m wondering if I will have to manually renew Let’s Encrypt certificates before they expire.

In the meantime, it’s possible to monitor certbot with journalctl l-u certbot or check the logs available on /var/log/letsencrypt/letsencrypt.log

Hope it helps

1 Like

Thanks @antony for the answer.
Yes, I know about port 80 and that only certificates that expire in 30 days are renewed.

journalctl -u certbot

Aug 29 05:18:08 pb systemd[1]: Starting certbot.service - Certbot...
Aug 29 05:18:09 pb systemd[1]: certbot.service: Deactivated successfully.
Aug 29 05:18:09 pb systemd[1]: Finished certbot.service - Certbot.
Aug 29 12:21:41 pb systemd[1]: Starting certbot.service - Certbot...
Aug 29 12:21:42 pb systemd[1]: certbot.service: Deactivated successfully.
Aug 29 12:21:42 pb systemd[1]: Finished certbot.service - Certbot.

less /var/log/letsencrypt/letsencrypt.log

2024-08-29 05:18:09,224:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-08-29 05:18:09,224:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-08-29 05:18:09,224:DEBUG:certbot._internal.main:Arguments: ['-q', '--no-random-sleep-on-renew']
2024-08-29 05:18:09,224:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-08-29 05:18:09,232:DEBUG:certbot._internal.log:Root logging level set at 40
2024-08-29 05:18:09,233:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/pb.mydomain.com.conf
2024-08-29 05:18:09,239:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f618afe9150> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f618afe9150>
2024-08-29 05:18:09,245:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): e6.o.lencr.org:80
2024-08-29 05:18:09,470:DEBUG:urllib3.connectionpool:http://e6.o.lencr.org:80 "POST / HTTP/1.1" 200 345
2024-08-29 05:18:09,471:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/pb.mydomain.com/cert1.pem is signed by the certificate's issuer.
2024-08-29 05:18:09,474:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/pb.mydomain.com/cert1.pem is: OCSPCertStatus.GOOD
2024-08-29 05:18:09,478:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-08-29 05:18:09,478:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-08-29 05:18:09,479:DEBUG:certbot._internal.plugins.selection:Selecting plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f618ddc2350>
2024-08-29 05:18:09,479:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-29 05:18:09,479:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2024-08-29 05:18:09,479:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/live/pb.mydomain.com/fullchain.pem expires on 2024-11-04 (skipped)
2024-08-29 05:18:09,479:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-08-29 05:18:09,479:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-29 05:18:09,479:DEBUG:certbot._internal.renewal:no renewal failures
2024-08-29 12:21:41,953:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-08-29 12:21:41,953:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-08-29 12:21:41,953:DEBUG:certbot._internal.main:Arguments: ['-q', '--no-random-sleep-on-renew']
2024-08-29 12:21:41,953:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-08-29 12:21:41,961:DEBUG:certbot._internal.log:Root logging level set at 40
2024-08-29 12:21:41,962:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/pb.mydomain.com.conf
2024-08-29 12:21:41,968:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f8205505190> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f8205505190>
2024-08-29 12:21:41,974:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 
2024-08-29 12:21:41,981:DEBUG:urllib3.connectionpool: "POST / HTTP/1.1" 200 345
2024-08-29 12:21:41,982:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/pb.mydomain.com/cert1.pem is signed by the certificate's issuer.
2024-08-29 12:21:41,984:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/pb.mydomain.com/cert1.pem is: OCSPCertStatus.GOOD
2024-08-29 12:21:41,988:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-08-29 12:21:41,989:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-08-29 12:21:41,989:DEBUG:certbot._internal.plugins.selection:Selecting plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f82081dcad0>
2024-08-29 12:21:41,989:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-29 12:21:41,989:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2024-08-29 12:21:41,989:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/live/pb.mydomain.com/fullchain.pem expires on 2024-11-04 (skipped)
2024-08-29 12:21:41,989:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-08-29 12:21:41,989:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-29 12:21:41,990:DEBUG:certbot._internal.renewal:no renewal failures

It is clear that the renovation is automated. I understand that it is done with another mechanism that is not cron. But I don’t know which one it is, because there is no crontab when I run this command:
for user in $(cut -f1 -d: /etc/passwd); do echo “Crontab for $user:”; sudo crontab -u $user -l 2>/dev/null; echo; done

I think it can be through the NginX plugin. But I don’t know for sure. Maybe someone can clarify.

Thank you very much!

Hi :wave:

It is done with systemd timers, the systemd alternative for cronjobs.

You can list systemd timers with this command:

sudo systemctl list-timers

You will find for sure certbot in the list.

Cheers,

Ah, that’s right! I had forgotten that systemd also manages scheduled tasks.
Thank you very much for the tip.

1 Like