Ubuntu
python-certbot package

snap.certbot.renew.service has fixed times, can't they be randomized with RandomizedDelaySec

Asked by David Gasperoni

When inspecting snap.certbot.renew.service I see that there are two OnCalendar times. I'm not sure if they're randomized on setup or hardcoded. Debian's timer unit has RandomizedDelaySec which allows a setup like this:

OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200

which basically causes two renewals a day, but at random times (they could even be close to each other around noon, or on two different days but very close to midnight — or be at two very different points of the day).

Wouldn't this be a better way to spread renewals for the sake of Let's Encrypt?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu python-certbot Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said : 		#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
David Gasperoni (davidgasperoni) said : 		#2

Up.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#3

Which Ubuntu release and certbot version are you talking about?

The python-certbot packages for Ubuntu have been copied from Debian without modification at the scheduling logic (at least those for focal and groovy).

Revision history for this message
David Gasperoni (davidgasperoni) said : 		#4

```
root@lab:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal

root@lab:~# certbot --version
certbot 1.9.0

root@lab:~# systemctl cat snap.certbot.renew.timer
# /etc/systemd/system/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=snap-certbot-652.mount
After=snap-certbot-652.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 02:32
OnCalendar=*-*-* 15:44

[Install]
WantedBy=timers.target
```

On Debian 10.6, this is the default certbot.timer:
```
box@box:~$ systemctl cat certbot.timer
# /lib/systemd/system/certbot.timer
[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target
```

The OnCalendar options are automatically generated? How often do they change? In practice, my Debian system runs twice a day at random times, while the Ubuntu system runs twice a day at those exact times listed above. One (maybe key?) difference is that on Ubuntu I installed the snap package for certbot.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#5

If you have questions about the snap version of certbot, then you should ask at https://forum.snapcraft.io

Can you help with this problem?

Provide an answer of your own, or ask David Gasperoni for more information if necessary.

To post a message you must log in.