puppet-letsencrypt icon indicating copy to clipboard operation
puppet-letsencrypt copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

/etc/cron.d/certbot cron file should be absent when manage_cron is set to true on Debian

Open hostingnuggets opened this issue 6 years ago • 8 comments

In my opinion the /etc/cron.d/certbot (default cron job for running certbot twice per day on Debian with official cerbot package) file should be absent when one sets manage_cron to true as both can/will interfere.

I did not check on other distributions but this might also be an issue with other distros.

For your reference here is the contact of that /etc/cron.d/certbot file on Debian 9:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

What do you think?

hostingnuggets avatar Jan 28 '19 12:01 hostingnuggets

It's a valid point. On Debian (and likely Debian-based) there is indeed a default cronjob (and systemd timer) but there isn't on RH(-based).

ekohl avatar Jan 28 '19 12:01 ekohl

@hostingnuggets could you provide a PR for this?

bastelfreak avatar Jan 28 '19 13:01 bastelfreak

@bastelfreak yes that should be an easy one. Just about the rspec test I am not sure if it would work because in order to test that the default package certbot cron file is present/absent I need the certbot package to be installed. Or do you have an idea what test would make sense?

hostingnuggets avatar Jan 28 '19 16:01 hostingnuggets

I'd guess a $letsencrypt::manage_cron_per_cert parameter makes sense. Determine the default true/false (probably always true except Debian). Then the define uses that value as a default.

ekohl avatar Jan 28 '19 16:01 ekohl

I see so a new test in letsencrypt_certonly_spec.rb would be required where I define the manage_cron_per_cert in params to its default (true) and then what should be used as expect? Should it just be compile.with_all_deps ?

hostingnuggets avatar Jan 29 '19 08:01 hostingnuggets

On related note, on RHEL7 systems supplied timer should be disabled when cron is managed.

  systemd::unit_file { 'certbot-renew.timer':
    target => '/dev/null',
  }

vchepkov avatar Mar 31 '19 13:03 vchepkov

@vchepkov can you provide a PR for this?

bastelfreak avatar Mar 31 '19 18:03 bastelfreak

And for Debian 11 (certbot 1.12.0-2) we should disable systemd certbot.timer

OlegPS avatar Sep 10 '22 12:09 OlegPS