2 min read

Letsencrypt and when a cron job fail

Lets Encrypt / Certbot is a great initiative to simplify the HTTPS certificates management, but many things happen behind the scene and sometimes it could go wrong.

linux sysadmin
When your server say "You have mail" it means "We need to talk.."

/usr/sbin/service nginx stop
./letsencrypt-auto certonly --standalone --email myemail@grigio.org -d grigio.org --renew-by-default --agree-tos
/usr/sbin/service nginx start

I used the command above in a cron job and it always worked but tonight it failed.
I'm not enthusiast of it because it needs the root privileges and it also cause the nginx web server downtime,.. but it worked until now.

Command "/root/.local/share/letsencrypt/bin/python2.7 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-2Ur7fS/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('
', '
'), __file__, 'exec'))" install --record /tmp/pip-Uh6XzK-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-2Ur7fS/cryptography
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
You are using pip version 8.0.3, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
nginx start/running, process 17815

Apparently the new LE version coming from the autoupdate script changed its python dependencies so I had to debug it manually to make it work again.

Luckily it was easy to fix,..

apt-get install python-pip
pip install --upgrade pip

..but i'd like to move away from this "manual" approach, because it requires to edit manually the NGINX config files and activate a cron job per each virtualhost (if you don't want to transform your configs in a big ball of mud).

NGINX + Let's Encrypt + HTTPS renewal with Docker

The idea is to start a container and with and ENV variable like "VIRTUAL_HOST=foo.bar.com"and automagically activate/deactivate the HTTPS for that domain or subdomain.

Woow, the answer is docker-letsencrypt-nginx-proxy-companion I'm still not sure if all this automation can be a limit,.. in some situations. The LE service can activate a new SSL certificate only on public IPs, so it isn't easy to test the set up without a jump in the unknown. I tried to change the DNS and resolve a subdomain to my local dynamic IP and this solution worked very well.

That migration is something to do in 2017 when i've time :)
Happy new year