Certbot Renewal Cron Job broken on July 8

Bugs in eFa 4
Post Reply
warlord
Posts: 19
Joined: 16 May 2019 21:21

Certbot Renewal Cron Job broken on July 8

Post by warlord »

Hi,

My EFA server took an update and on July 8th and it rewrote (and BROKE) /etc/cron.d/certbotrenew:

Code: Select all

# ls -l /etc/cron.d/certbotrenew
-rw-r--r--. 1 root root 666 Jul  8 05:14 /etc/cron.d/certbotrenew
# cat /etc/cron.d/certbotrenew
0 0,12 awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php root python -c 'import random; import time; time.sleep(random.random() awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php 3600)' && certbot renew >/dev/null 2>&1
Obviously this is a completely broken crontab file!! My guess is that this is from this update:
Jul 08 05:15:51 Updated: eFa.x86_64 1:4.0.0-64.eFa.el7

Please see my previous post about the certbot crontab and the crontab getpwnam issues to see what I feel should be the correct contents of this file:

Code: Select all

0 0,12 * * * user python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --post-hook '/usr/sbin/service httpd force-reload' >/dev/null 2>&1
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Certbot Renewal Cron Job broken on July 8

Post by shawniverson »

Ugh, good to know, that doesn't look right at all.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Certbot Renewal Cron Job broken on July 8

Post by shawniverson »

I'll run some tests and prepare an update.
warlord
Posts: 19
Joined: 16 May 2019 21:21

Re: Certbot Renewal Cron Job broken on July 8

Post by warlord »

Thanks.

If you could actually take my full-blown suggestion from viewtopic.php?f=19&t=3577&p=14151#p14151 it would be even better. Hat would let us use LetsEncrypt for both HTTP and Postfix and have it do the right thing whenthe cert is updated.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Certbot Renewal Cron Job broken on July 8

Post by shawniverson »

Not everybody wants the certs for postfix, so I will add some logic to choose either scenario.

The cron is mangled because bash dereferenced the *'s, which is my bad. I should have caught that.
warlord
Posts: 19
Joined: 16 May 2019 21:21

Re: Certbot Renewal Cron Job broken on July 8

Post by warlord »

Not everybody wants the certs for postfix, so I will add some logic to choose either scenario.
Sure. Configuring LE certs for postfix should absolutely be a separate option. However IMHO restarting postfix when LE certs get renewed is perfectly safe regardless of whether it's using self- or LE certs.
warlord
Posts: 19
Joined: 16 May 2019 21:21

Re: Certbot Renewal Cron Job broken on July 8

Post by warlord »

Oops, I found one bug above. In the cron job where I say "user" it needs to be "root" (or whatever user cron needs to run certbot as).
Post Reply