certbot を実行しているのは、cron なのか systemd なのか。

スポンサーリンク

サーバ移行のついでに

Let’s Encrypt の更新スクリプトを

certbot なる簡単ツールに入れ替えます。

certbot

👉 Certbot 

最近は、

systemd なるものでスケジュール実行したりするのですね。

無事、登録できました。


# systemctl -t timer
  UNIT                         LOAD   ACTIVE SUB     DESCRIPTION
  anacron.timer                loaded active waiting Trigger anacron every hour
  apt-daily-upgrade.timer      loaded active waiting Daily apt upgrade and clean activities
  apt-daily.timer              loaded active waiting Daily apt download activities
  certbot.timer                loaded active waiting Run certbot twice daily
  e2scrub_all.timer            loaded active waiting Periodic ext4 Online Metadata Check for All Filesystems
  fstrim.timer                 loaded active waiting Discard unused blocks once a week
  fwupd-refresh.timer          loaded active waiting Refresh fwupd metadata regularly
  logrotate.timer              loaded active waiting Daily rotation of log files
  man-db.timer                 loaded active waiting Daily man-db regeneration
  motd-news.timer              loaded active waiting Message of the Day
  phpsessionclean.timer        loaded active waiting Clean PHP session files every 30 mins
  systemd-tmpfiles-clean.timer loaded active waiting Daily Cleanup of Temporary Directories

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

12 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.


# systemctl list-timers
NEXT                        LEFT          LAST                        PASSED        UNIT                         ACTIVATES
Tue 2021-03-16 13:34:46 JST 2min 41s left Tue 2021-03-16 12:32:29 JST 59min ago     anacron.timer                anacron.service
Tue 2021-03-16 13:39:00 JST 6min left     Tue 2021-03-16 13:09:04 JST 23min ago     phpsessionclean.timer        phpsessionclean.service
Tue 2021-03-16 17:04:24 JST 3h 32min left Tue 2021-03-16 05:22:36 JST 8h ago        apt-daily.timer              apt-daily.service
Tue 2021-03-16 17:44:41 JST 4h 12min left Mon 2021-03-15 17:44:41 JST 19h ago       systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Tue 2021-03-16 19:39:53 JST 6h left       Tue 2021-03-16 11:14:48 JST 2h 17min ago  motd-news.timer              motd-news.service
Tue 2021-03-16 20:53:59 JST 7h left       Tue 2021-03-16 09:19:17 JST 4h 12min ago  certbot.timer                certbot.service
Tue 2021-03-16 21:38:12 JST 8h left       Tue 2021-03-16 08:39:27 JST 4h 52min ago  fwupd-refresh.timer          fwupd-refresh.service
Wed 2021-03-17 00:00:00 JST 10h left      Tue 2021-03-16 00:00:04 JST 13h ago       logrotate.timer              logrotate.service
Wed 2021-03-17 00:00:00 JST 10h left      Tue 2021-03-16 00:00:04 JST 13h ago       man-db.timer                 man-db.service
Wed 2021-03-17 06:04:39 JST 16h left      Tue 2021-03-16 06:37:26 JST 6h ago        apt-daily-upgrade.timer      apt-daily-upgrade.service
Sun 2021-03-21 03:10:33 JST 4 days left   Sun 2021-03-14 03:10:36 JST 2 days ago    e2scrub_all.timer            e2scrub_all.service
Mon 2021-03-22 00:00:00 JST 5 days left   Mon 2021-03-15 00:00:04 JST 1 day 13h ago fstrim.timer                 fstrim.service

12 timers listed.

あれ、

cron でも実行してたよな?


# ls -l /etc/cron.d/
total 20
-rw-r--r-- 1 root root 285 Jul 17  2019 anacron
-rw-r--r-- 1 root root 775 Oct 26 23:42 certbot
-rw-r--r-- 1 root root 201 Feb 14  2020 e2scrub_all
-rw-r--r-- 1 root root 712 Mar 27  2020 php
-rw-r--r-- 1 root root 190 Aug  1  2020 popularity-contest


# journalctl | grep certbot
Mar 14 12:00:01 example-host CRON[64218]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 14 20:22:33 example-host systemd[1]: certbot.service: Succeeded.
Mar 15 00:00:01 example-host CRON[70825]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 15 01:22:23 example-host systemd[1]: certbot.service: Succeeded.
Mar 15 12:00:01 example-host CRON[76346]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 15 12:04:40 example-host systemd[1]: certbot.service: Succeeded.
Mar 16 00:00:01 example-host CRON[80612]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 16 09:19:18 example-host systemd[1]: certbot.service: Succeeded.
Mar 16 12:00:01 example-host CRON[85401]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)


# journalctl -r -u cron | grep certbot
Mar 16 00:00:01 example-host CRON[80612]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 15 12:00:01 example-host CRON[76346]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 15 00:00:01 example-host CRON[70825]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 14 12:00:01 example-host CRON[64218]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 14 00:00:01 example-host CRON[58784]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 12 12:00:01 example-host CRON[34259]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 12 00:00:01 example-host CRON[29111]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 11 12:00:01 example-host CRON[22432]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)
Mar 10 00:00:01 example-host CRON[8757]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew)


# journalctl -r -u certbot
-- Logs begin at Mon 2021-03-08 12:55:35 JST, end at Tue 2021-03-16 13:23:16 JST. --
Mar 16 09:19:18 example-host systemd[1]: Finished Certbot.
Mar 16 09:19:18 example-host systemd[1]: certbot.service: Succeeded.
Mar 16 09:19:17 example-host systemd[1]: Starting Certbot...
Mar 15 12:04:40 example-host systemd[1]: Finished Certbot.
Mar 15 12:04:40 example-host systemd[1]: certbot.service: Succeeded.
Mar 15 12:04:39 example-host systemd[1]: Starting Certbot...
Mar 15 01:22:23 example-host systemd[1]: Finished Certbot.
Mar 15 01:22:23 example-host systemd[1]: certbot.service: Succeeded.
Mar 15 01:22:23 example-host systemd[1]: Starting Certbot...
Mar 14 20:22:33 example-host systemd[1]: Finished Certbot.
Mar 14 20:22:33 example-host systemd[1]: certbot.service: Succeeded.
Mar 14 20:22:33 example-host systemd[1]: Starting Certbot...

 

結論


# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

ここ。


test -x /usr/bin/certbot -a \! -d /run/systemd/system &&  ...

/usr/bin/certbot に実行権があって、

かつ

ディレクトリ /run/systemd/system が存在しなければ、

… 以降を実行する。

 

まとめ

certbot 用のcronは、

/run/systemd/system

ディレクトリがあったら実行されない。

うーん、

/etc/cron.d/certbot

紛らわしくね?

削除しとく?w

👉 【Let’s Encrypt】2021年6月からACMEv1 を使った証明書更新は利用できなくなります。 | #Android Fashion News Σ(^A^;) 

👉 systemd – ArchWiki 
👉 SSL Server Test (Powered by Qualys SSL Labs) 
👉 cron(crontab)の代わりにsystemdのtimerを使う – @znz blog 
👉 systemdでtimerの作り方(最小限のサンプル) – Qiita