Both acme.sh --issue --force and --renew --force may effectively renew an existing certificate. In cases where a certificate is still within its validity period, both of these commands renew the certificate. What is the difference?
a. Please stop using the --force
You only need to use --renew.
b. there is no difference to computers between issue and renew
those are more of a human differentiation
[when you renew a cert you are actually issuing a new cert for that same set of names]
c. acme.sh should have added a scheduler to automatically renew the certs
please don't manually add things that are not needed
4 Likes
You mean stop using --force option with --renew right? Isn't it ok to use --force with --issue?
I understand a cronjob gets added but is there away for us to check whether auto renew works without waiting till it expires?
Try temporarily changing the 60 day wait default instead.
4 Likes
I concur with @rg305's comment.
It is not needed in most circumstances.
Well said and good advice. The less it is manipulated, you are more likely to get the results you seek.
sudo crontab -l will show you the command(s) that are scheduled too run and when.
It is reliable enough to allow it to run as programmed by acme.sh. If you have it configured to mail you a notification when it runs, you can verify that it is working.
3 Likes
There are only a few reasons to use --force and usually there is none.
3 Likes
With Namecheap cPanel shared webhosting, this did not happen. So I needed to take it into my control and see whether I could setup a script to check the expiry date of the installed certificate and either --issue --force or --renew the certificate before it expires. If there were a way test whether the auto renew will work as expected, I need not to worry.
Almost never.
4 Likes
I don't think you should be worried.
This same setup has worked for many people for many years.
3 Likes
Also with --issue, there's no need for --force.
1 Like
hmm..
I'm not 100% certain that --issue will do so when not yet ready.
2 Likes
Why would you want that?
2 Likes
In acmesh-official it says, under 12. How to renew the certs, you can also force to renew a cert: acme.sh --renew -d example.com --force
So I wanted to know, if I use --force with --issue it seems it does the same thing. So is there a different in the result?
Just to be sure that it works. Because it did not renew my certificate the last time. I'm on Namecheap shared cPanel webhosting.
You CAN use --force, as mentioned, but it's absolutely not required when trying to do a normal renewal. The fact it's possible, does not mean you should use it.
The command just below the one you've mentioned is an example where there is a good reason to use --force: when changing the key type from RSA to ECDSA for example.
Other than that: just use --renew.
Note that the documentation of acme.sh is often quite lacking and/or sometimes difficult to understand. I'm at a loss why the author of that part of the documentation would include such a thing with just the argument "you can" without actually explaining the meaning of that function. Quite confusing.
3 Likes
Force will forcibly [try to] issue a cert.
There is no need to add issue to that line - it will likely be ignored.
But even if you do add it in, it can't change the action [force].
2 Likes
Let's talk more about that.
What went wrong?
How did you correct that problem?
4 Likes
Hi Osiris, do you mind explaining a bit as to what are those few reasons?
- What are the few good reasons to use --issue --force
- What are the few good reasons to use --renew --force
I believe this helps some including myself. Thank you for your input.
1 Like