Package: certbot Version: 1.12.0-2 Severity: normal X-Debbugs-Cc: hims...@blieque.co.uk
Dear Maintainer, The (legacy?) Cron job (`/etc/cron.d/certbot`) for Certbot runs the certificate renewal program every 12 hours, and starts with a random 0–12-hour delay. This helps to distribute load on Let's Encrypt servers over time. ``` 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew ``` Certbot will not renew certificates with more than 2 months of validity remaining without an explicit flag, so most executions of Certbot do not result in any domain validations or certificate issuances. My system recently appears to have started using `certbot.timer` rather than the Cron job. This timer only executes Certbot once a month, which causes a few problems. - Although this is frequent enough to avoid running invalid certificates, it does only execute Certbot once, and this execution could fail for some reason. If it did, certificates would be left to expire. - It could cause certificates to be updated only days before their expiry, which could cause problems in distributed application architectures and provide administrators less time to sort problems. - Lastly, Let's Encrypt starts sending warning emails when certificates have less than 2 weeks of validity remaining, which is usually an early sign of auto-renewal being broken. These emails are what led me to investigate this. I have tested versions 1.12.0-2 and 2.1.0-2 of the Debian package. I assume the `.timer` file is Debian's concern rather than Certbot's. SOLUTION: Update `/etc/systemd/system/certbot.timer`: - Change `OnCalendar` property to `OnCalendar=*-*-* */12:00:00`. - Add `RandomizedDelaySec=43200`. Thanks -- System Information: Debian Release: 11.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (1, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-16-amd64 (SMP w/1 CPU thread) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages certbot depends on: ii debconf [debconf-2.0] 1.5.77 ii python3 3.9.2-3 ii python3-certbot 2.1.0-2 certbot recommends no packages. Versions of packages certbot suggests: pn python-certbot-doc <none> pn python3-certbot-apache <none> pn python3-certbot-nginx <none> -- Configuration Files: /etc/letsencrypt/cli.ini changed: max-log-backups = 0 preconfigured-renewal = True -- debconf information: certbot/remove_live_certs: true
