サーバ移行のついでに
Let's Encrypt の更新スクリプトを
certbot なる簡単ツールに入れ替えます。
👉 Certbot
最近は、
systemd なるものでスケジュール実行したりするのですね。
無事、登録できました。
# systemctl -t timer
UNIT LOAD ACTIVE SUB DESCRIPTION
anacron.timer loaded active waiting Trigger anacron every hour
apt-daily-upgrade.timer loaded active waiting Daily apt upgrade and clean activities
apt-daily.timer loaded active waiting Daily apt download activities
certbot.timer loaded active waiting Run certbot twice daily
e2scrub_all.timer loaded active waiting Periodic ext4 Online Metadata Check for All Filesystems
fstrim.timer loaded active waiting Discard unused blocks once a week
fwupd-refresh.timer loaded active waiting Refresh fwupd metadata regularly
logrotate.timer loaded active waiting Daily rotation of log files
man-db.timer loaded active waiting Daily man-db regeneration
motd-news.timer loaded active waiting Message of the Day
phpsessionclean.timer loaded active waiting Clean PHP session files every 30 mins
systemd-tmpfiles-clean.timer loaded active waiting Daily Cleanup of Temporary Directories
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
12 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
# systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2021-03-16 13:34:46 JST 2min 41s left Tue 2021-03-16 12:32:29 JST 59min ago anacron.timer anacron.service
Tue 2021-03-16 13:39:00 JST 6min left Tue 2021-03-16 13:09:04 JST 23min ago phpsessionclean.timer phpsessionclean.service
Tue 2021-03-16 17:04:24 JST 3h 32min left Tue 2021-03-16 05:22:36 JST 8h ago apt-daily.timer apt-daily.service
Tue 2021-03-16 17:44:41 JST 4h 12min left Mon 2021-03-15 17:44:41 JST 19h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Tue 2021-03-16 19:39:53 JST 6h left Tue 2021-03-16 11:14:48 JST 2h 17min ago motd-news.timer motd-news.service
Tue 2021-03-16 20:53:59 JST 7h left Tue 2021-03-16 09:19:17 JST 4h 12min ago certbot.timer certbot.service
Tue 2021-03-16 21:38:12 JST 8h left Tue 2021-03-16 08:39:27 JST 4h 52min ago fwupd-refresh.timer fwupd-refresh.service
Wed 2021-03-17 00:00:00 JST 10h left Tue 2021-03-16 00:00:04 JST 13h ago logrotate.timer logrotate.service
Wed 2021-03-17 00:00:00 JST 10h left Tue 2021-03-16 00:00:04 JST 13h ago man-db.timer man-db.service
Wed 2021-03-17 06:04:39 JST 16h left Tue 2021-03-16 06:37:26 JST 6h ago apt-daily-upgrade.timer apt-daily-upgrade.service
Sun 2021-03-21 03:10:33 JST 4 days left Sun 2021-03-14 03:10:36 JST 2 days ago e2scrub_all.timer e2scrub_all.service
Mon 2021-03-22 00:00:00 JST 5 days left Mon 2021-03-15 00:00:04 JST 1 day 13h ago fstrim.timer fstrim.service
12 timers listed.
あれ、
cron でも実行してたよな?
# ls -l /etc/cron.d/
total 20
-rw-r--r-- 1 root root 285 Jul 17 2019 anacron
-rw-r--r-- 1 root root 775 Oct 26 23:42 certbot
-rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all
-rw-r--r-- 1 root root 712 Mar 27 2020 php
-rw-r--r-- 1 root root 190 Aug 1 2020 popularity-contest
# journalctl | grep certbot
Mar 14 12:00:01 example-host CRON[64218]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 14 20:22:33 example-host systemd[1]: certbot.service: Succeeded.
Mar 15 00:00:01 example-host CRON[70825]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 15 01:22:23 example-host systemd[1]: certbot.service: Succeeded.
Mar 15 12:00:01 example-host CRON[76346]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 15 12:04:40 example-host systemd[1]: certbot.service: Succeeded.
Mar 16 00:00:01 example-host CRON[80612]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 16 09:19:18 example-host systemd[1]: certbot.service: Succeeded.
Mar 16 12:00:01 example-host CRON[85401]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
# journalctl -r -u cron | grep certbot
Mar 16 00:00:01 example-host CRON[80612]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 15 12:00:01 example-host CRON[76346]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 15 00:00:01 example-host CRON[70825]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 14 12:00:01 example-host CRON[64218]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 14 00:00:01 example-host CRON[58784]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 12 12:00:01 example-host CRON[34259]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 12 00:00:01 example-host CRON[29111]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 11 12:00:01 example-host CRON[22432]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 10 00:00:01 example-host CRON[8757]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
# journalctl -r -u certbot
-- Logs begin at Mon 2021-03-08 12:55:35 JST, end at Tue 2021-03-16 13:23:16 JST. --
Mar 16 09:19:18 example-host systemd[1]: Finished Certbot.
Mar 16 09:19:18 example-host systemd[1]: certbot.service: Succeeded.
Mar 16 09:19:17 example-host systemd[1]: Starting Certbot...
Mar 15 12:04:40 example-host systemd[1]: Finished Certbot.
Mar 15 12:04:40 example-host systemd[1]: certbot.service: Succeeded.
Mar 15 12:04:39 example-host systemd[1]: Starting Certbot...
Mar 15 01:22:23 example-host systemd[1]: Finished Certbot.
Mar 15 01:22:23 example-host systemd[1]: certbot.service: Succeeded.
Mar 15 01:22:23 example-host systemd[1]: Starting Certbot...
Mar 14 20:22:33 example-host systemd[1]: Finished Certbot.
Mar 14 20:22:33 example-host systemd[1]: certbot.service: Succeeded.
Mar 14 20:22:33 example-host systemd[1]: Starting Certbot...
結論
# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
ここ。
test -x /usr/bin/certbot -a \! -d /run/systemd/system && ...
/usr/bin/certbot に実行権があって、
かつ
ディレクトリ /run/systemd/system が存在しなければ、
... 以降を実行する。
まとめ
certbot 用のcronは、
/run/systemd/system
ディレクトリがあったら実行されない。
うーん、
/etc/cron.d/certbot
紛らわしくね?
削除しとく?
👉 【Let’s Encrypt】2021年6月からACMEv1 を使った証明書更新は利用できなくなります。 | #Android Fashion News Σ(^A^;)
👉 systemd - ArchWiki
👉 SSL Server Test (Powered by Qualys SSL Labs)
👉 cron(crontab)の代わりにsystemdのtimerを使う - @znz blog
👉 systemdでtimerの作り方(最小限のサンプル) - Qiita