2

I'm using Let's Encrypt to secure an Apache installation on Ubuntu. I recently set up a deploy hook script to run on renewals, which I'm passing to certbot renew in a cron job by using the --deploy-hook option.

On the first renewal since setting it up, I noticed that the deploy hook script didn't run. Digging into the logs, I found that the invocation of certbot renew that actually performed the renewal was not called with the --deploy-hook argument.

I also see that certbot renew is being called three times per day, while my cron job is only set up to run once per day. One of those three calls is exactly at the time specified in the cron job, and the --deploy-hook argument is provided. The other two times are around 00:30 and around 12:45, but the exact times vary by several minutes day to day. The --deploy-hook argument is not provided on those other calls.

So: what on earth is running certbot renew other than my cron job? I verified that only root has a crontab, and that it only contains the single job definition.

Aron
  • 205
  • 2
  • 7
  • 1
    The answers to https://serverfault.com/questions/449651/why-is-my-crontab-not-working-and-how-can-i-troubleshoot-it/449652#449652 will likely help you solve your problem – user9517 Dec 11 '17 at 19:35

1 Answers1

6

Remember in addition to the user crontabs there is also a system crontab file, cron.d directory and the cron.hourly, cron.daily and cron.weekly directories. These are a likely culprit if you installed the software from a package.

Specifically when I look at the certbot debian package I see a file /etc/cron.d/certbot . If you installed certbot from a package then I suspect this is your culprit.

Peter Green
  • 4,056
  • 10
  • 29