Will certbot actually renew my certificate?

Question

Looking at /etc/cron.d/certbot, I don't think it will! That file includes the line:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

and, unless I'm reading it wrong, renewal will only happen if there's a readable, executable file called /usr/bin/certbot (there is) AND if there's not a directory called /run/systemd/system (but there is, even though it's empty).

So am I right and the certbot -q renew bit will never run? Is there perhaps somewhere else that also triggers the renewal? (I thought there might be something in /run/systemd/system because that's being checked, but as I said, there's not. Out of curiosity, why does this little script check for the non-existence of /run/systemd/system?)

This is running the latest certbot (v1.18.0, installed yesterday using the official instructions) on Ubuntu 18.04.

By the way, I have run:

test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot renew --dry-run

as root on the command line, and it exits immediately with an exit status of 1.

Answer 1

If the system is using systemd, it will run as a systemd service, triggered by time.

If you run systemctl status certbot.timer you will get the status of the service that triggers certbot from systemd.

This is why the cron script is configured not to run renewal if systemd is detected on the machine.