About renew certificate

Hi, Because I need to write a script to renew the certificate automatically every 3 months.I used the following command to get my first certificate.

certbot certonly -n --manual --manual-auth-hook /root/global/dns.sh --manual-cleanup-hook /root/global/ultradns_clean.sh --manual-public-ip-logging-ok --preferred-challenges dns --agree-tos -d www.example.com

acme.sh --issue -d www.example.com --dns dns_ultra --yes-I-know-dns-manual-mode-enough-go-ahead-please --force

Because I'm doing it manually, not automatically, I'd like to ask whether I should use the same command as mentioned above to renew the certificate after two months, or do I need to make some changes?

Will the path and the certificate name for renewing the certificate be the same or will they change?
first time:/etc/letsencrypt/live/{domain}/fullchain.pem
renew: the same? or /etc/letsencrypt/live/{domain}/fullchain1.pem?


1 Like

Hi @Van, and welcome to the LE community forum :slight_smile:

Answer 1: You showed two different ACME client.
So, I'm confused about the question.
In general, if you are able to execute either of those commands without having to do anything else manually, you should be able to execute the command within a cron type job and it will renew your cert when the time comes.

Please DO NOT USE:

Answer 2: certbot's /live/ folder contains symbolic links to the files from the last renewal.
So, you can always reuse the same original path.
[that is one of the ways how full automation is achieved]


In addition to rg305's comments, you should not look to renew just every 3 months. Let's Encrypt recommends renewing with 1/3 of time remaining on the cert (so after 60 days currently). This allows time to address failures.

And, I now see you are posting so I postpone my other comments until after that.


Hi rg305,

First of all, thank you for your response.:slight_smile:

Yes,I plan to use crontab to execute command,But I'm not sure if the renew command needs to be modified?
maybe i need add --renew? or --force? or other? or use the same command can renew?
Because my certificate isn't three months old yet, I can't test whether the actual renew command is the same. So, I came here to ask everyone.

acme.sh is my backup tool, when certbot have issue,
So, I'd like to know if both tools need to modify their commands when renewing after three months.

In short, I want to know if the renew command is different from the one used when applying for the certificate for the first time.

Thanks :slight_smile:


Sure, thank you for your reminder. I will renew it in two months.


We'll see who responds first :slight_smile:

You provided a manual auth hook so you can automate that renewal with Certbot

You just run certbot renew as the command in the cron (or systemd timer)

You do not use --force

You can test today with certbot renew --dry-run
This uses the Staging system to test and will not change your production certs

acme.sh has a similar renew idea


If you have to do anything manually while running those commands, your cron job will be missing that [manual] piece and fail.


More background on certbot renew ...

It is usually run at least once a day - even twice at random times. You may already have something setup for that during Certbot install

The renew looks at the certs known to Certbot on your machine. The cert command options and profile are saved in your /etc/letsencrypt/renewal folder for each cert.

If the cert is fresh enough, nothing more is done. Only when the cert is within the renewal period will certbot run your hooks and request a cert.

Also see


Because during testing, I noticed some differences from the production environment, but I've forgotten the details.

I forgot whether I was using acme.sh or certbot, but during DNS authentication, I noticed that the authentication process was different in the production and testing environments.
if you type this:
-d *.example.com -d example.com
production and test is different on dns auth,
so test is not the same production step on dns auth step

1 Like

dns auth should not be different

But, Let's Encrypt will cache successful validations for a specific account and domain name for 30 days (currently). So, a subsequent command may not need a new auth.

For --dry-run at least, Certbot flushes any staging cache so each attempt is the same and more like what will happen for an actual renewal.


Thanks for your replay :slight_smile:

The article you provided is Automated Renewals,
As I'm doing it manually, I'm not sure if I can use the same renewal command in two months.

1 Like

Ah, these terms are confusing.

Your Certbot command uses the manual method but provides a manual-auth-hook. As long as that hook doesn't require your manual intervention (like it displaying info and you manually updating the TXT record) then it can be automated.

Certbot will fail if you try to renew a manual method without such a hook provided.

Just try certbot renew --dry-run and see what happens :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.