Page 1 of 1

Certbot Renewal Cron Job broken on July 8

Posted: 26 Jul 2019 17:28
by warlord
Hi,

My EFA server took an update and on July 8th and it rewrote (and BROKE) /etc/cron.d/certbotrenew:

Code: Select all

# ls -l /etc/cron.d/certbotrenew
-rw-r--r--. 1 root root 666 Jul  8 05:14 /etc/cron.d/certbotrenew
# cat /etc/cron.d/certbotrenew
0 0,12 awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php root python -c 'import random; import time; time.sleep(random.random() awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php 3600)' && certbot renew >/dev/null 2>&1
Obviously this is a completely broken crontab file!! My guess is that this is from this update:
Jul 08 05:15:51 Updated: eFa.x86_64 1:4.0.0-64.eFa.el7

Please see my previous post about the certbot crontab and the crontab getpwnam issues to see what I feel should be the correct contents of this file:

Code: Select all

0 0,12 * * * user python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --post-hook '/usr/sbin/service httpd force-reload' >/dev/null 2>&1

Re: Certbot Renewal Cron Job broken on July 8

Posted: 26 Jul 2019 19:32
by shawniverson
Ugh, good to know, that doesn't look right at all.

Re: Certbot Renewal Cron Job broken on July 8

Posted: 26 Jul 2019 19:32
by shawniverson
I'll run some tests and prepare an update.

Re: Certbot Renewal Cron Job broken on July 8

Posted: 26 Jul 2019 20:57
by warlord
Thanks.

If you could actually take my full-blown suggestion from viewtopic.php?f=19&t=3577&p=14151#p14151 it would be even better. Hat would let us use LetsEncrypt for both HTTP and Postfix and have it do the right thing whenthe cert is updated.

Re: Certbot Renewal Cron Job broken on July 8

Posted: 27 Jul 2019 12:21
by shawniverson
Not everybody wants the certs for postfix, so I will add some logic to choose either scenario.

The cron is mangled because bash dereferenced the *'s, which is my bad. I should have caught that.

Re: Certbot Renewal Cron Job broken on July 8

Posted: 27 Jul 2019 12:25
by warlord
Not everybody wants the certs for postfix, so I will add some logic to choose either scenario.
Sure. Configuring LE certs for postfix should absolutely be a separate option. However IMHO restarting postfix when LE certs get renewed is perfectly safe regardless of whether it's using self- or LE certs.

Re: Certbot Renewal Cron Job broken on July 8

Posted: 29 Jul 2019 14:07
by warlord
Oops, I found one bug above. In the cron job where I say "user" it needs to be "root" (or whatever user cron needs to run certbot as).