Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/etc/cron.d/certbot cron file should be absent when manage_cron is set to true on Debian #164

Open
hostingnuggets opened this issue Jan 28, 2019 · 8 comments · May be fixed by #289
Open

/etc/cron.d/certbot cron file should be absent when manage_cron is set to true on Debian #164

hostingnuggets opened this issue Jan 28, 2019 · 8 comments · May be fixed by #289

Comments

@hostingnuggets
Copy link

In my opinion the /etc/cron.d/certbot (default cron job for running certbot twice per day on Debian with official cerbot package) file should be absent when one sets manage_cron to true as both can/will interfere.

I did not check on other distributions but this might also be an issue with other distros.

For your reference here is the contact of that /etc/cron.d/certbot file on Debian 9:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

What do you think?
@ekohl
Copy link
Member

ekohl commented Jan 28, 2019

It's a valid point. On Debian (and likely Debian-based) there is indeed a default cronjob (and systemd timer) but there isn't on RH(-based).

@bastelfreak
Copy link
Member

@hostingnuggets could you provide a PR for this?

@hostingnuggets
Copy link
Author

@bastelfreak yes that should be an easy one. Just about the rspec test I am not sure if it would work because in order to test that the default package certbot cron file is present/absent I need the certbot package to be installed. Or do you have an idea what test would make sense?

@ekohl
Copy link
Member

ekohl commented Jan 28, 2019

I'd guess a $letsencrypt::manage_cron_per_cert parameter makes sense. Determine the default true/false (probably always true except Debian). Then the define uses that value as a default.

@hostingnuggets
Copy link
Author

I see so a new test in letsencrypt_certonly_spec.rb would be required where I define the manage_cron_per_cert in params to its default (true) and then what should be used as expect? Should it just be compile.with_all_deps ?

@vchepkov
Copy link
Contributor

On related note, on RHEL7 systems supplied timer should be disabled when cron is managed.

  systemd::unit_file { 'certbot-renew.timer':
    target => '/dev/null',
  }

@bastelfreak
Copy link
Member

@vchepkov can you provide a PR for this?

@gmenuel gmenuel linked a pull request May 11, 2022 that will close this issue
Open
@OlegPS
Copy link

OlegPS commented Sep 10, 2022

And for Debian 11 (certbot 1.12.0-2) we should disable systemd certbot.timer

@dduportal dduportal mentioned this issue Apr 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add option for removing cron provided by distro pkgs gmenuel/puppet-letsencrypt
5 participants
@ekohl @bastelfreak @hostingnuggets @vchepkov @OlegPS