{"id":352,"date":"2018-01-14T18:11:44","date_gmt":"2018-01-14T16:11:44","guid":{"rendered":"https:\/\/www.petersplanet.nl\/?p=352"},"modified":"2018-02-06T22:05:03","modified_gmt":"2018-02-06T20:05:03","slug":"automatic-certbot-certificate-renewal-did-not-work","status":"publish","type":"post","link":"https:\/\/www.petersplanet.nl\/index.php\/2018\/01\/14\/automatic-certbot-certificate-renewal-did-not-work\/","title":{"rendered":"Automatic certbot certificate renewal did not work"},"content":{"rendered":"<p>Although I had setup a daily cronjob for the certbot renew command it appeared that the automatic renewal did not work. It only worked interactively as root.<br \/>\n<!--more-->I found out that this was due to several denied statements in \/var\/log\/audit\/audit.log caused by SELinux<\/p>\n<pre>type=AVC msg=audit(1515897301.682:45335): avc: denied { write } for pid=10306 comm=\"httpd\" path=\"\/var\/lib\/letsencrypt\/.certbot.lock\" dev=\"xvda1\" ino=11744 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file\r\ntype=AVC msg=audit(1515897301.711:45336): avc: denied { write } for pid=10309 comm=\"httpd\" path=\"\/etc\/letsencrypt\/.certbot.lock\" dev=\"xvda1\" ino=25479763 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file\r\ntype=AVC msg=audit(1515897301.711:45336): avc: denied { write } for pid=10309 comm=\"httpd\" path=\"\/var\/log\/letsencrypt\/.certbot.lock\" dev=\"xvda1\" ino=8501477 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file\r\n<\/pre>\n<p>After some research it appeared that there is a specific certbot-renew service for the certificate renewal. This solved the problem<\/p>\n<pre>systemctl enable certbot-renew\r\nsystemctl start certbot-renew\r\nsystemctl status certbot-renew\r\n<\/pre>\n<p>References:<br \/>\n<a href=\"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1385167\">https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1385167<\/a><br \/>\n<a href=\"https:\/\/certbot.eff.org\/\">https:\/\/certbot.eff.org\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Although I had setup a daily cronjob for the certbot renew command it appeared that the automatic renewal did not work. It only worked interactively as root.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-352","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/posts\/352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/comments?post=352"}],"version-history":[{"count":11,"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/posts\/352\/revisions"}],"predecessor-version":[{"id":363,"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/posts\/352\/revisions\/363"}],"wp:attachment":[{"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/media?parent=352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/categories?post=352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.petersplanet.nl\/index.php\/wp-json\/wp\/v2\/tags?post=352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}