question1:
Because I'm doing it manually, not automatically, I'd like to ask whether I should use the same command as mentioned above to renew the certificate after two months, or do I need to make some changes?
question2:
Will the path and the certificate name for renewing the certificate be the same or will they change?
first time:/etc/letsencrypt/live/{domain}/fullchain.pem
renew: the same? or /etc/letsencrypt/live/{domain}/fullchain1.pem?
Answer 1: You showed two different ACME client.
So, I'm confused about the question.
In general, if you are able to execute either of those commands without having to do anything else manually, you should be able to execute the command within a cron type job and it will renew your cert when the time comes.
Please DO NOT USE:
Answer 2: certbot's /live/ folder contains symbolic links to the files from the last renewal.
So, you can always reuse the same original path.
[that is one of the ways how full automation is achieved]
In addition to rg305's comments, you should not look to renew just every 3 months. Let's Encrypt recommends renewing with 1/3 of time remaining on the cert (so after 60 days currently). This allows time to address failures.
And, I now see you are posting so I postpone my other comments until after that.
Yes,I plan to use crontab to execute command,But I'm not sure if the renew command needs to be modified?
maybe i need add --renew? or --force? or other? or use the same command can renew?
Because my certificate isn't three months old yet, I can't test whether the actual renew command is the same. So, I came here to ask everyone.
acme.sh is my backup tool, when certbot have issue,
So, I'd like to know if both tools need to modify their commands when renewing after three months.
In short, I want to know if the renew command is different from the one used when applying for the certificate for the first time.
It is usually run at least once a day - even twice at random times. You may already have something setup for that during Certbot install
The renew looks at the certs known to Certbot on your machine. The cert command options and profile are saved in your /etc/letsencrypt/renewal folder for each cert.
If the cert is fresh enough, nothing more is done. Only when the cert is within the renewal period will certbot run your hooks and request a cert.
Because during testing, I noticed some differences from the production environment, but I've forgotten the details.
I forgot whether I was using acme.sh or certbot, but during DNS authentication, I noticed that the authentication process was different in the production and testing environments.
if you type this:
-d *.example.com -d example.com
production and test is different on dns auth,
so test is not the same production step on dns auth step
But, Let's Encrypt will cache successful validations for a specific account and domain name for 30 days (currently). So, a subsequent command may not need a new auth.
For --dry-run at least, Certbot flushes any staging cache so each attempt is the same and more like what will happen for an actual renewal.
Your Certbot command uses the manual method but provides a manual-auth-hook. As long as that hook doesn't require your manual intervention (like it displaying info and you manually updating the TXT record) then it can be automated.
Certbot will fail if you try to renew a manual method without such a hook provided.
Just try certbot renew --dry-run and see what happens
