Missing acme.sh cron?

[halfgaar]

My monitoring alerted me that SSL certificates from Froxlor sites are expiring. As in, the first one triggered my warning level of 24 days. I see the PHP code only loads certificates from disk now, and a recent commit message says that acme.sh is supposed to renew?

Am I missing a cron? My /etc/cron.d/froxlor is:

# automatically generated cron-configuration by froxlor
# do not manually edit this file as it will be re-generated periodically.
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#
*/5 * * * * root /usr/bin/nice -n 5 /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --tasks 1> /dev/null
0 0 * * * root /usr/bin/nice -n 5 /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --traffic 1> /dev/null
5 0 * * * root /usr/bin/nice -n 5 /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --usage_report 1> /dev/null
0 */6 * * * root /usr/bin/nice -n 5 /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --mailboxsize 1> /dev/null
*/5 * * * * root /usr/bin/nice -n 5 /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt 1> /dev/null

It's dated 2020-03-08, 10:20:

# lh /etc/cron.d/froxlor 
-rw-r----- 1 root root 840 mrt  8 10:20 /etc/cron.d/froxlor

I think that's when I dist-upgraded Debian. My latest Froxlox update was 2020-06-14  09:23:52, to version 0.10.18-1.

The files in /etc/ssl/froxlor are not newer, so it's not an issue with loading the certificates, what 'froxlor_master_cronjob.php --letsencrypt' now does.

[d00p]

trying my best

[d00p]

Froxlor Just runs the install-cronjob on acme.sh. if you run "crontab -e" as root you should see the corresponding line for acme.sh

 

[halfgaar]

I had checked that actually, there is no cron for root. There are no crons in /var/spool/cron/crontabs.

I just ran 'acme.sh --install-crobjob' by hand, and it created a cron job.

runIssueFor() in AcmeSh.php runs 'acme.sh --install-crobjob'  on issue. So in other words, when you upgrade to the Froxlor version with the new acme system, you won't get the cronjob until you issue new certificates?

[d00p]

24 minutes ago, halfgaar said:

runIssueFor() in AcmeSh.php runs 'acme.sh --install-crobjob'  on issue. So in other words, when you upgrade to the Froxlor version with the new acme system, you won't get the cronjob until you issue new certificates?

looks like you are right yes, must have missed that when refactoring to another technique. Can you open up an issue on GitHub for this please? So we can keep track and I'll find a way to fix that

[d00p]

nvm, done

[halfgaar]

I had just finished writing it 😢 😀.

[d00p]

You can still publish

[halfgaar]

Done.

[halfgaar]

Fast as lightning.

[Tealk]

14 hours ago, halfgaar said:

I just ran 'acme.sh --install-crobjob' by hand, and it created a cron job.

thanks

[d00p]

Just a typo, it's --install-cronjob of course

[halfgaar]

Something still amiss. The certificate wasn't updated. It was created in /root/.acme.sh, but not in /etc/ssl/froxlor. It didn't do anything, until I ran the cronjob with the --debug flag. That's something that seems to happen more often to me (requiring --debug to make the jobs work).

When I run it multiple times, now, I see it still wants to pick up that domain again and again:

root@myfroxlorserver: /etc/cron.d <master>
# /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug
[information] Updated Let's Encrypt certificate for thedomain.nl
[information] Let's Encrypt certificates have been updated
[notice] Checking system's last guid
  
root@myfroxlorserver: /etc/cron.d <master>
# /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug
[information] Updated Let's Encrypt certificate for thedomain.nl
[information] Let's Encrypt certificates have been updated
[notice] Checking system's last guid
  
root@myfroxlorserver: /etc/cron.d <master>
# /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug
[information] Updated Let's Encrypt certificate for thedomain.nl
[information] Let's Encrypt certificates have been updated
[notice] Checking system's last guid

I'm at work now, so I can't check further.

As for the crobjob, I keep typing that for some reason...

[d00p]

Don't use --letsencrypt 

You should use --force --debug

 

[halfgaar]

I'm confused. That's how it's run from the crontab /etc/cron.d/froxlor. See my original post. But, it doesn't seem to do anything (the files in /etc/ssl/froxlor were not updated), until I add --debug. And even then, it keeps thinking the domain 'thedomain.nl' (and only this one) has a new certificate, every time I run it. Once dealt with, I expect it not to show up as 'Updated Let's Encrypt certificate' anymore.

[d00p]

--letsencrypt is just historically there. The main action is included in --tasks cronjob (which --force triggers).

If its not doing anything then there's nothing to do. Update/renew is done by acme.sh itself. Froxlor just synchronizes the certificates from acme.sh's homedir with its database.

[halfgaar]

I'm still not 100% on the original issue I had, but it's probably related to this ticket I just made.

[d00p]

Can you verify that it works with the changes introduced in https://github.com/Froxlor/Froxlor/commit/a141c83ad48191a5460c14a6098b5f18ae49b473

[halfgaar]

I saw the Github notification. I didn't have the opportunity to test.

Anyway, that fix worked.