certbot cron renew image
I thought after the successful renewal of my certificates here, I’d set up a certbot cron task to run every day that should automagically renew any certificates due to expire within the next 30 days 😉

I’ve always struggled with using crontab on FreeBSD as it uses the vi editor.  I much prefer using nano, but for crontab, it’s better to just work with the default.  So the commands I used are:

# crontab -u root -e (opens crontab) 
# i (sets the editor into insert mode) 
# 45 23 * * * certbot renew >> /var/log/le-renew.log && service nginx reload (runs certbot renew at 23:45 every day and saves the output to /var/log/le-renew.log and reloads Nginx service) 
# [esc]:wq (takes vi out of insert mode, and then saves and exits crontab)
# touch /var/log/le-renew.log (creates the log file to be saved to)


And that should be it. I checked the /var/log/le-renew.log file the following day, and there was nothing there!  When I checked again, I’d created a log file named ls-renew.log, which explains why it didn’t work!  When I moved the file to the correct name, the following day it showed the certbot renew commands and that none of my certificates was due to renew. The next one should renew around the 25th November, so I’ll provide a further update then.

By then I might have also figured out how to add a date and time to the command so the log file makes a bit more sense with multiple entries!

UPDATE – I’ve actually been trying to include the date for a few days now, by creating a simple script file and then getting the cron task to run the script.  The script was just:

today=$(date +%Y-%b-%d) 
echo $today >> /var/log/le-renew.log 
certbot renew >> /var/log/le-renew.log 
service nginx reload >> /var/log/le-renew.log 

but after trying various different options, I just can’t get it to add the date AND the certbot output. It will do one, or the other, but not both. It was starting to frustrate me as if I ran the script file inside the jail, it did what I was expecting, so I eventually tried to schedule it from within the FreeNAS WUI – jexec ssl_proxy sh /le-renew.sh – rather than using cron. This worked fine, and at 23:50 every day the script runs and updates the date, certbot tasks and the NGINX reload into /var/log/le-renew.log 😀  So if you stumbled upon this blog trying to work out how to schedule certbot renewals using cron, I’m sorry as I’m not actually doing that now!  If you are using FreeNAS though, lucky you!!

There’s a further benefit of running it like this, in that FreeNAS sends a daily update with the results, so today it told me my emby cert had renewed automatically.  Result!