Letsencrypt certbot auto renew not working (Debian, Ubuntu) systemd

If your letsencrypt SSL certificates are not renewed automatically, chances are that your certbot.timer service is not running.

Here are the steps to troubleshoot this issue:

1. List all current systemd timers
(see if Certbot is listed, chances are it is not listed)

systemctl list-timers --all

2. Verify that these files exist:


Note that there is no need to create a separate cron jon to trigger the renawal if these files exist.

3.Start the Certbot Timer
If the files above exist then run the following command to start the timer service

systemctl start certbot.timer

4.Enable the Timer on BOOT
Now enable the timer service on boot

systemctl enable certbot.timer

List all the timers again to verify that certbot is running

systemctl list-timers --all

Unattended Upgrades Ubuntu

Install the unattended upgrade package

sudo apt-get install unattended-upgrades

Edit this file accordingly

vim /etc/apt/apt.conf.d/50unattended-upgrades

Install the Update Notifier
The update-notifier daemon notifies about package updates and other useful information (like reboot required messages)
This package is required if you have the “Unattended-Upgrade::Automatic-Reboot” configuration directive set to true.

apt-get install update-notifier-common

Finding out which updates are available:

/usr/lib/update-notifier/apt-check --human-readable

Mail and Notification
There are at least two options available to send email notifications

Option 1:
You can set the “Unattended-Upgrade::Mail” flag in /etc/apt/apt.conf.d/50unattended-upgrades to allow mail notifications.
Note that you must have the package “update-notifier-common” installed for this option to work.

Option 2:
You can use Apticron. “apticron will configure a cron job to email an administrator information about any packages on the system that have updates available, as well as a summary of changes in each package.”

apt install apticron

and update the configuration file (/etc/apticron/apticron.conf) accordingly.

About update-notifier
“If you want the script to automatically reboot when needed, you not only need to set Unattended-Upgrade::Automatic-Reboot "true", but you also need to have the “update-notifier-common” package installed. On minimal installations this is not installed by default and without it the automatic updater will never reboot and will not even tell you that you need to reboot manually if you have email notifications configured!

“The files in /etc/apt/apt.conf.d/ are evaluated in lexicographical order with each file capable of overriding values set in earlier files. This makes it insufficient to view the setting in /etc/apt/apt.conf.d/20auto-upgrades and why it is recommended to use apt-config.”