Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 2221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Letsencrypt updates system log every minute with renew entry

Jay Jay

Since implementing letsencrypt i'm seeing the following show up in the main system log every minute.

 

2019:04:08-12:49:01 utm /usr/sbin/cron[9766]: (dehydrated) CMD (/var/chroot-reverseproxy/usr/dehydrated/bin/renew_certificate.pl > /dev/null)

This is way too often.  The resulting crontab entry appears below

utm:/etc # cat crontab.letsencrypt-renewal
# Check CSRs for renewal
27 4 * * * dehydrated /var/chroot-reverseproxy/usr/dehydrated/bin/check_renewal.pl  -s > /dev/null
# Renew marked CSRs
* * * * * dehydrated /var/chroot-reverseproxy/usr/dehydrated/bin/renew_certificate.pl  > /dev/null

Checking once a day is good enough since it can renew 30 days before expiration.

Before I manually change it, does this file survive reboots?



This thread was automatically locked due to age.
  • 0

    I'll answer my own question.  No, it doesn't survive reboots.  Gets changed back to the above.

     

    Can this be edited somewhere else or is it hardcoded in an executable?

  • 0 in reply to Jay Jay

    Jay, did you change crontab.letsencrypt-renewal or just crontab?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I changed crontab.letsencrypt-renewal, then did the crontab dance to update the main crontab file and restart crontab(?) service.

    Looks like it hasn't changed since.

     

    utm:/etc # stat  crontab.letsencrypt-renewal
      File: `crontab.letsencrypt-renewal'
      Size: 246             Blocks: 8          IO Block: 4096   regular file
    Device: 806h/2054d      Inode: 153901      Links: 1
    Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2019-04-08 16:24:13.485781169 -0500
    Modify: 2019-04-08 16:24:13.485781169 -0500
    Change: 2019-04-08 16:24:13.485781169 -0500
     Birth: -
    utm:/etc # uptime
     16:16pm  up 1 day  0:11,  1 user,  load average: 0.11, 0.04, 0.05
    utm:/etc #

    I still think this should be properly so one doesn't have to edit this at each reboot or set up another cron script script to do so.  If I do use a script to update the execution times, how does the main crontab file get updated from commandline?

  • 0 in reply to Jay Jay

    This sloppy bug has been bugging me long enough.   Come on Sophos, FIX this stupid bug already!

     

    In the mean time, I added the code below to another script that's run every 10 min to make sure the 802.1x wpa_supplicant is running properly.  This checks the crontab file for presence of * * * * * dehydrated..... Which is what the line with the renew script starts with.  If present, changes it to run daily at 2:30am then restarts crontab.  If it's already changed it does nothing

    ------------------

    grep -F "30 2 * * * dehydrated" /etc/crontab >  /dev/null 2>&1
    if [ $? -ne 0  ]; then
            sed -i  's/\* \* \* \* \* dehydrated/30 2 \* \* \* dehydrated/' /etc/crontab
            echo "`date +%Y:%m:%d-%H:%M:%S` `hostname | cut -d'.' -f1` check crontab: crontab updated" >> $LOG 2>&1
            /etc/init.d/cron restart >  /dev/null 2>&1
    fi

    ---------

Unfiltered HTML