Lets Encrypt Auto-renew Crontab Not Working


#1

I have a lot of sites being powered by EE and all of them are using Lets Encrypt for SSL. Each installation is on it’s own VPS with it’s own dedicated IP Address. Every one of the websites was able to utilize the Lets Encrypt SSL Certificate and is able to renew the certificate if I issue the command manually, but not one of the instances has ever auto-renewed an SSL Certificate, via crontab.

When I’m logged into the console/terminal with my user account and issue the “crontab -l” command, I get:

0 0 * * 0 ee site update --le=renew --all 2> /dev/null # Renew all letsencrypt SSL cert. Set by EasyEngine

This reads the exact same when I run the “crontab -l” command as the root user.

There is only one site per VPS and it looks like it is set up to work correctly.

Also, I NEVER get a system generated email about SSL Certificate Success nor Failures.


#2

Actually you have to make some modification to the code.

Type crontab -e, open your crontab file in your preferred editor, remove the line:

0 0 * * 0  ee site update --le=renew --all 2> /dev/null

and replace it with the following line:

0 0 1 * * ee site update --le=renew --all 2> /dev/null

Save the crontab file and exit the editor. The above command would check your LE certificates every month on the 1st and renew for all necessary EE sites.

Alternatively, you can add:

@monthly ee site update --le=renew --all 2> /dev/null

which is the same command with an easier syntax. You can then type crontab -l to view your crontab to ensure what you just added is actually there.


#3

Thank you for responding @sagar30 I appreciate your attention to this.

I do have a follow-up concern though…

The syntax I provided is the exact same syntax in every EE installation I currently have. Why is it not being configured correctly when EE is installed or when Let’s Encrypt is activated? Remember, each of my websites is running on it’s own VPS.


#4

@bamajr Thats simple. Everyone may not want to set corntab, so, it is disabled by default.

You can clearly see it is advised to put following code in official documentation of EE https://easyengine.io/docs/lets-encrypt

0 12 * * * ee site update --le=renew --all 2> /dev/null 

It is slightly different from the code I advised before but it doesn’t matter because the five digits (in this case 0 12 * * *) before the actual command, define the date and frequency (monthly, daily) at which the command is supposed to run.

It’s format is * * * * * | | | | | | | | | +-- Year (range: 1900-3000) | | | +------ Month of the Year (range: 1-12) | | +-------- Day of the Month (range: 1-31) | +---------- Hour (range: 0-23) +------------ Minute (range: 0-59)

For example If you set it as * * * * * , the command will run each minute (not advised).

By default it is set as 0 0 * * 0, in which the last digit which represent year is set to 0, but it should have value 1900-3000; setting it to 0 means it will never run and in your case you should left it * because you can’t run command yearly as letsencrypt license expires in 3 months.

The first two digits are both 0 which represent hour and minute. So, if other fields are left as * and first two digit as 0 (0 0 * * *), the command will run every day at 00:00 (Midnight) and if you set it as (0 12 * * *), as defined in official documentation, it will run everyday at 12:00 which is not bad but may consume a lot of resource and we don’t need it as letsencrypt certificate expires only in 3 months. So we are modifying the code and set the third digit which defines month to 1 (0 0 1 * *) so that it runs once in a month; 1st of each month at midnight to be exact.

Hope it helps.


#5

I’ve actually got the page you referenced bookmarked, but I didn’t see any reference to the format of the five digits, at the front of the line.

Thank you @sagar30 - Clears everything up related to Let’s Encrypt.

Now I need to address the email issue (last line of OP).


#6

You can read about format here:

http://www.nncron.ru/help/EN/working/cron-format.htm

Modern format consists of 6 digits but its okay to define 5 digits too.


#7

See issue report in ee github repositor here. Solution included:


#8

I have the same problem in Ubuntu 16.04. Problem solved by adding “sudo”, even though it is a root user.

Working command: 0 0 * * 0 sudo ee site update --le=renew --all 2> /dev/null # Renew all letsencrypt SSL cert. Set by EasyEngine

I recommend using cron monitoring service such as https://healthchecks.io/ that automatic notify you via email/pushbullet/slack ++ if your checks failed.


#9

I too still have issues with Crontab not working, though I’m having more success now than before, thanks to @sagar30

https://healthchecks.io/ may very well prove to be a great tool, @liewzy. Has anyone else had any success with this cron monitoring tool?


#10

Monitoring cronjob is maybe not required. Just replace

2> /dev/null

by

>> /var/log/ee/renew.log

So you will be able to check cronjob logs and see why the letsencrypt renewal has failed.


#11

Yes @virtubox, log files can be helpful tools, too.


#12

@sagar30 The last digit is day of the week not year. So ee’s default setting is weekly, which is fine. 0 0 * * 0 = midnight on Sunday (i.e. weekly) (you linked to nncron which is not the same thing - cron uses 5 digits)

@liewzy I don’t think adding sudo to the root user cron makes any difference at all :slight_smile: . I think it’s more likely that the job is failing sometimes (for other reasons), which is why a weekly job is probably a much better idea than only monthly.


#13

Has anyone found the fix for this issue? I am having the same issue on all of my servers and I have the latest EE script installed and have even done a few fresh installs which also have the issue.


#14

Please try to give full (absolute) path for the ee comand into your cronjobs. You can ask where ee is located by typing ‚which ee‘ interactively; insert this absolute parh into your cronjob, hope it will work then for you…


#15

Below is exactly what is listed when I run crontab -l which is put in there by default when I turn on SSL for a site. I assume it should work but I never runs on any of my servers.

0 0 * * 0 ee site update --le=renew --all 2> /dev/null # Renew all letsencrypt SSL cert. Set by EasyEngine

#16

That’s what I do: a script (named myeelerenew.sh, sorry for not being creative) running from cron every night:

#!/bin/bash
for DOM in `ee site list | grep -v example.com | sort | sed 's/\x1B\[[0-9;]*[JKmsu]//g'`; do
    ee site update $DOM --le=renew
done

It works for me. Your mileage may vary, of course.


#17

Is this sed command to remove ANSI-Colors? Ugly… :slight_smile:


#18

Ugly but efficient, just like me. LOL

I could have queried EE’s SQLite database, directly; but for some reason I didn’t want it.


#19

With the hint of ingobaab and a hint from the terminal I made three changes to make it work (although I’m sure there are more ways to success):

  1. Moved the entry to /etc/cron.d/ee
  2. Added the executing user (root) in between the ‘time’ section and the ‘command’ section
  3. Added the exact path to ee (found by ‘which ee’) to the command section

So, my resulting entry (in cron.d) is: 0 0 * * 0 root /usr/local/bin/ee site update --letsencrypt=renew --all >> /var/log/ee/renew.log

… that did the job for me… but I suppose for most just adding the path to ee (/usr/local/bin) should suffice.


#20

Ugly, but done - is always better than perfect, - but not ready… :smiley: