I switched my webservers over to using Let’s Encrypt to obtain SSL certificates. Everything looked great, but the update job would fail to run from Cron.
At first I had no errors to go on because my systems aren’t configured with a mail program so Cron couldn’t email me the errors. Rather than configure a mailer, I just piped the output to another log file by creating a folder under /var/log with permissions for my user and then updating cron so that
[command here] >> /var/log/certbot/certbot_cron.log 2>&1
was at the end of the command. So my full crontab entry is now:
36 2 * * * /home/kyle/certbot-auto renew --quiet --no-self-upgrade >> /var/log/certbot/certbot_cron.log 2>&1
Then I discovered the job was failing because:
sudo: no tty present and no askpass program specified
I have certbot-auto setup from my regular user account, which works great, except for the cron job. If I put the cronjob in the root’s crontab, it doesn’t know about the existing configuration in my user account so it tries to start over.
After some digging around and failing to find an exact solution to this problem I managed to get it running and made this post to help the next poor unfortunate soul.
I edited the sudo rules using:
And added to the end of the file:
kyle ALL=NOPASSWD:SETENV: /home/kyle/.local/share/letsencrypt/bin/letsencrypt, /usr/sbin/service apache2 *
This allows my account to execute the letsencrypt program and control the apache2 service without providing a password. SETENV allows it to set environment variables. I added it to get around the error message:
sudo: sorry, you are not allowed to set the following environment variables: CERTBOT_AUTO
I don’t know if this is the best way of getting the cronjob to run, but it seems to be working. It honestly still isn’t clear to me if one should just do all the letsencrypt stuff as root or not. That would probably avoid this issue, but if that’s the case they should just say it somewhere. Instead it works as non-root, but the cronjob to automatically update it doesn’t. And the automatic updating is kind of the point.
I don’t know if it makes a difference, but these servers are running Ubuntu 14.04.