website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon certbot

Add steps to enable weekly renewal on FreeBSD

Open gaelanlloyd opened this issue 2 years ago • 4 comments

Hello!

Weekly renewal isn't working on FreeBSD 13.1.

The /usr/local/etc/periodic/weekly500.certbot-3.9 cronjob immediately exits and will not run unless some values are added to /etc/periodic.conf.

I believe the fix is to add a step to the documentation on these pages:

  • https://certbot.eff.org/instructions?ws=apache&os=freebsd
  • https://certbot.eff.org/instructions?ws=nginx&os=freebsd

Enable automatic renewal

Add these lines to /etc/periodic.conf:

# Let's Encrypt: Weekly renewal
weekly_certbot_enable="YES"
weekly_certbot_service="apache"
weekly_certbot_post_hook="service apache24 restart"
# weekly_certbot_deploy_hook="/tmp/a.sh"
# weekly_certbot_custom_args="--force-renewal"

For the Nginx version of the docs, swap out these two lines in the above block:

weekly_certbot_service="nginx"
weekly_certbot_post_hook="service nginx restart"

Also, the docs have a line that could use an edit. FreeBSD doesn't have systemd.

The Certbot packages on your system come with a cron job ~~or systemd timer~~ that will renew your certificates automatically before they expire.

gaelanlloyd avatar Feb 06 '23 22:02 gaelanlloyd

weekly_certbot_service

Hmm. The nginx and Apache instructions should not require the use of weekly_certbot_service or weekly_certbot_post_hook.

If the --apache or --nginx plugins are in use, then Certbot should gracefully reload the servers as required without any hooks required.

If something like certbot certonly --{standalone,webroot} was used to obtain a certificate, then (by our documentation), the --pre-hook and --post-hook should be part of the user's invocation of Certbot, which will be recalled by Certbot on future occasions. The period script shouldn't need knowledge of that.

weekly_certbot_enable

Yes, it would seem that the period script is not enabled by default. I will see whether we can get that added, or possibly get the default value changed.

alexzorin avatar Feb 08 '23 20:02 alexzorin

I will see whether we can get that added

This is being asked internally to the website team.

or possibly get the default value changed.

and I've raised that question here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269427

alexzorin avatar Feb 09 '23 02:02 alexzorin

I'm going to assign this to Alexis and Alex for now to get it out of the triage queue since they've both started working on it, but feel free to kick it back my way if you're done working on it and want someone else to take over.

bmw avatar Feb 10 '23 17:02 bmw

I was able to figure out what happened on my end.

Typically, services are enabled on FreeBSD with lines added to /etc/rc.conf. I misread the certbot instructions and added weekly_certbot_enable="YES" to /etc/rc.conf instead of /etc/periodic.conf. That's why the renewal script was failing.

Those instructions only shows once after certbot is installed:

In order to automatically renew the certificates, add this line to
/etc/periodic.conf:

    weekly_certbot_enable="YES"

More config details in the certbot periodic script:

    /usr/local/etc/periodic/weekly/500.certbot-3.9

Weeks later, when I figured out renewals were not working, I checked the only documentation I knew of (on certbot.eff.org) but it looked like I had followed all the steps there. It was confusing why things were broken until I did a bunch of digging.

If it's decided that the auto-renewal service not be enabled on install, updating the instructions on certbot.eff.org to remind folks to add that line to /etc/periodic.conf would be a really helpful reference.

gaelanlloyd avatar Feb 20 '23 15:02 gaelanlloyd