[SOLVED] Treatment of scripts in /etc/cron.monthly
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
On a public Slackware64 14.0 server I'm hosting several domains, and each domain has one or more subdomains with corresponding SSL certificates generated with LetsEncrypt.
For every domain there's a script mkcert-domain.sh. Here's what this looks like:
I've been running these scripts since LetsEncrypt's first public beta in december, and after a few initial hiccups, everything works fine now.
I'd like to define a monthly cronjob for certificate generation. So my first idea would be to put all those mkcert-* scripts into /etc/cron.monthly, but I have a doubt. If I put them in this directory, I expect them to be launched sequentially, e. g. one after another, and not all at the same time.
Can anyone tell me more about the way scripts in /etc/cron.monthly (or similar) are treated?
Not exactly the answer for the question, but what if you had a master script that was launched by cron?
Then, this master script would sequentially call all the mkcert-* scripts?
Another thing: check if the Apache has to be really stopped when re-generating the certs.
I might be wrong, but if I recall correctly, the certs are read on startup and kept in memory (this makes sense, in the case the cert is password protected).
Then you would just restart the Apache. This would prevent down time during cert regeneration.
Not exactly the answer for the question, but what if you had a master script that was launched by cron?
Then, this master script would sequentially call all the mkcert-* scripts?
Another thing: check if the Apache has to be really stopped when re-generating the certs.
I might be wrong, but if I recall correctly, the certs are read on startup and kept in memory (this makes sense, in the case the cert is password protected).
Then you would just restart the Apache. This would prevent down time during cert regeneration.
--
Best regards,
Andrzej Telszewski
I can't really use a master script, because LetsEncrypt certificates have a very tight limitation. If I have to add a domain and/or one or several subdomains, I would have to rerun the whole script, and my weekly quota would peak out.
As for Apache: yes, it has to be stopped for generation as well as for renewal.
If your crontab uses run-parts then files in the directory are processed in sequence. Cron itself runs things in parrallel. You can add a cronjob to your apache user.
Some more thoughts and questions:
You could use the last modified date of the generated cert files to see if a script needs renewal or creation. This way you could use a master script.
Is it really needed that the creation process runs in parrallel? Do you have enough entropy from /dev/{random,urandom} for this? Or are the servers of letsencrypt doing the body work?
Why don't you first create the new certs, stop apache, move old to backup, move new to correct path, start apache. Depending on how long the creation process takes you have a considerable down time.
Do you really need to stop apache? I know theres an option to have apache reread its configs and all new connection use the new settings. Also I'm not sure if this goes for certs as well.
Any deeper sense in regenerating those certificates once a month?
It's nice of you folks to help me, but this is not a thread on how LetsEncrypt works (e. g. yes, you have to stop Apache, etc.). Here's my question:
Are scripts in /etc/cron.monthly processed one after another, yes or no?
Thanks for staying on topic and actually answering my question.
Cheers,
Niki
According to the main loop of /usr/bin/run-parts (see below), scripts in /etc/cron.monthly *are* processed one after another :
Code:
for SCRIPT in $1/* ; do
# If this is not a regular file, skip it:
if [ ! -f $SCRIPT ]; then
continue
fi
# Determine if this file should be skipped by suffix:
SKIP=false
for SUFFIX in $IGNORE_SUFFIXES ; do
if [ ! "$(basename $SCRIPT $SUFFIX)" = "$(basename $SCRIPT)" ]; then
SKIP=true
break
fi
done
if [ "$SKIP" = "true" ]; then
continue
fi
# If we've made it this far, then run the script if it's executable:
if [ -x $SCRIPT ]; then
$SCRIPT || echo "$SCRIPT failed."
fi
done
Starting one after the other has finished only occurs if you use run-parts (ie, you put all your scripts individually in /etc/cron.monthly). However, if you put them individually in your crontab, it'll still run them in order, however, they won't wait for the other to stop/finish (like appending an ampersand "&" at the end of a command). You can either add multiple scripts within /etc/cron.monthly/ or add one script that calls the scripts one after the other (just don't add an ampersand).
If, for future reference, you want scripts run in "parallel", you'll either need to use crontab or build a script that will start programs without waiting for others to finish (by using ampersands).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.