Automatic certbot certificate renewal did not work

Although I had setup a daily cronjob for the certbot renew command it appeared that the automatic renewal did not work. It only worked interactively as root.
I found out that this was due to several denied statements in /var/log/audit/audit.log caused by SELinux

type=AVC msg=audit(1515897301.682:45335): avc: denied { write } for pid=10306 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="xvda1" ino=11744 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
type=AVC msg=audit(1515897301.711:45336): avc: denied { write } for pid=10309 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="xvda1" ino=25479763 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1515897301.711:45336): avc: denied { write } for pid=10309 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="xvda1" ino=8501477 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file

After some research it appeared that there is a specific certbot-renew service for the certificate renewal. This solved the problem

systemctl enable certbot-renew
systemctl start certbot-renew
systemctl status certbot-renew

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1385167
https://certbot.eff.org/

No Comments

Post a Comment