LetsEncryptの自動更新snap.certbot.renewを確認する

一覧リスト
設定時間
状況確認
設定内容確認
ログ確認
snapで正常に更新できるか確認
参考記事

一覧リスト

# snap list

Name     Version    Rev    Tracking       Publisher     Notes
certbot  1.21.0     1582   latest/stable  certbot-eff✓  classic
core     16-2.52.1  11993  latest/stable  canonical✓    core
core20   20211115   1242   latest/stable  canonical✓    base

設定時間

# snap refresh --time

timer: 00:00~24:00/4
last: today at 22:48 JST
next: tomorrow at 02:51 JST

「Systemd timer」での確認

# systemctl list-timers

NEXT                         LEFT     LAST                         PASSED       UNIT                         ACTIVATES
木 2021-11-18 20:32:00 JST  6h left  木 2021-11-18 06:21:06 JST  7h ago       snap.certbot.renew.timer     snap.certbot.renew.
金 2021-11-19 12:39:28 JST  22h left 木 2021-11-18 12:39:28 JST  1h 40min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-cl

2 timers listed.
Pass --all to see loaded but inactive timers, too.

2つのタイマーがセットされている
「snap.certbot.renew」
「systemd-tmpfiles-clean」

状況確認

# systemctl status snap.certbot.renew.timer

● snap.certbot.renew.timer - Timer renew for snap application certbot.renew
   Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; vendor preset: disabled)
   Active: active (waiting) since 木 2021-11-04 17:31:23 JST; 1 weeks 6 days ago

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

certbot（LetsEncrypt）を更新するためのアプリケーション
読込済み
稼働中（待機中）

設定内容確認

# systemctl cat snap.certbot.renew.service

# /etc/systemd/system/snap.certbot.renew.service
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-1582.mount
Wants=network.target
After=var-lib-snapd-snap-certbot-1582.mount network.target snapd.apparmor.service
X-Snappy=yes

[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/1582
TimeoutStopSec=30
Type=oneshot

ログ確認

# journalctl -f -u snap.certbot.renew.service

-- Logs begin at 土 2021-11-06 08:26:41 JST. --
11月 16 06:21:09 v157-7-134-162.myvps.jp systemd[1]: Starting Service for snap application certbot.renew...
11月 16 06:21:11 v157-7-134-162.myvps.jp systemd[1]: Started Service for snap application certbot.renew.
11月 16 20:32:08 v157-7-134-162.myvps.jp systemd[1]: Starting Service for snap application certbot.renew...
11月 16 20:32:10 v157-7-134-162.myvps.jp systemd[1]: Started Service for snap application certbot.renew.
11月 17 06:21:05 v157-7-134-162.myvps.jp systemd[1]: Starting Service for snap application certbot.renew...
11月 17 06:21:07 v157-7-134-162.myvps.jp systemd[1]: Started Service for snap application certbot.renew.
11月 17 20:32:00 v157-7-134-162.myvps.jp systemd[1]: Starting Service for snap application certbot.renew...
11月 17 20:32:02 v157-7-134-162.myvps.jp systemd[1]: Started Service for snap application certbot.renew.
11月 18 06:21:06 v157-7-134-162.myvps.jp systemd[1]: Starting Service for snap application certbot.renew...
11月 18 06:21:08 v157-7-134-162.myvps.jp systemd[1]: Started Service for snap application certbot.renew.

一日4回正常にタイマーが機能している模様

snapで正常に更新できるか確認

# /var/lib/snapd/snap/bin/certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

1を選択

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
2: mail.example.com
3: sub.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

1を選択

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/example.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

1:再インストール
2:更新

Renewing an existing certificate for example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2022-02-16.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for example.com to /etc/httpd/conf.d/virtual.conf

参考記事

https://gamingpc.one/dev/systemd-timer-cheat/
https://www.mtioutput.com/entry/tmpfiles-clean-test
https://qiita.com/Brutus/items/6850a94358b9199834f2