Systemd timer ignoring multipe hours

Question

on an Arch linux machine hosting an nginx I want to automatically renew its LetsEncrypt certificates. I wrote a .service and .timer for this:

#letsencrypt-update.service
[Unit]
Description=LetsEncrypt Update Service

[Service]
Type=oneshot
ExecStart=/usr/bin/letsencrypt renew --quiet


#letsencrypt-update.timer
[Unit]
Description=LetsEncrypt Update Timer

[Timer]
OnCalendar=03,21:22
Persistent=true

[Install]
WantedBy=basic.target

Per certbot documentation the LetsEncrypt update should be run twice a day, an per systemd.time documentation it should be possible to run the service at 03:22 and 21:22 by separating the hours by comma, but when I reenable the timer, the next execution in systemctl list-timers is on 03:22 and not 21:22 (it's 10 am here).

Why is that? Does systemd has to run the 03:22 timer before it executes the 21:22 one?

Side note: Why do you feel the need to renew the certificate twice a day? It's valid for 90 days. — Sven, Jun 07 '16 at 08:49
Like it says in the linked documentation: Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks. — meilon, Jun 07 '16 at 09:08
After the timer did run this morning, the next execution is set for tonight. So it works like I thought, but why? — meilon, Jun 08 '16 at 05:33

score 1 · Answer 1 · answered May 02 '18 at 10:03

1

I use OnUnitActiveSec=12h to renew every 12 hours. Here's my full certbot-renewal.timer:

[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=12h

[Install]
WantedBy=multi-user.target

answered May 02 '18 at 10:03

janfrode

111
3

score 0 · Answer 2 · answered Aug 14 '18 at 10:38

The original configuration of Meilon seems to be ok. But I would use this as timer config:

#letsencrypt-update.timer
[Unit]
Description=LetsEncrypt Update Timer
PartOf=%p.service

[Timer]
OnCalendar=03,21:22
RandomizedDelaySec=600
Persistent=true

[Install]
WantedBy=basic.target

PartOf=%p.service - link both units together
RandomizedDelaySec=600 - use a random start delay (e.g. 10 Minutes or more) to apply "select a random minute within the hour for your renewal tasks"

Systemd timer ignoring multipe hours

2 Answers2