on an Arch linux machine hosting an nginx I want to automatically renew its LetsEncrypt certificates. I wrote a .service and .timer for this:
#letsencrypt-update.service
[Unit]
Description=LetsEncrypt Update Service
[Service]
Type=oneshot
ExecStart=/usr/bin/letsencrypt renew --quiet
#letsencrypt-update.timer
[Unit]
Description=LetsEncrypt Update Timer
[Timer]
OnCalendar=03,21:22
Persistent=true
[Install]
WantedBy=basic.target
Per certbot documentation the LetsEncrypt update should be run twice a day, an per systemd.time documentation it should be possible to run the service at 03:22 and 21:22 by separating the hours by comma, but when I reenable the timer, the next execution in systemctl list-timers is on 03:22 and not 21:22 (it's 10 am here).
Why is that? Does systemd has to run the 03:22 timer before it executes the 21:22 one?
I use OnUnitActiveSec=12h to renew every 12 hours. Here's my full certbot-renewal.timer:
The original configuration of Meilon seems to be ok. But I would use this as timer config:
PartOf=%p.service - link both units together
RandomizedDelaySec=600 - use a random start delay (e.g. 10 Minutes or more) to apply "select a random minute within the hour for your renewal tasks"