I've never had an issue with renewing the certificates manually in the past. In fact, my initial issue was that the certs would renew but not get picked up by the browsers. This is the first time the cert didn't even renew.
I'm quite certain that the command you provided will work to renew my certs immediately, but then I will need to wait 60 days before I will know if they renew on their own. So I'm reluctant to go ahead and renew them without understanding 1) Why they did not renew on their own most recently and 2) Why, in the past, they renewed but did not get picked up by browsers.
What is the difference between this command, sudo certbot certonly --cert-name vestasit.com --webroot -w /var/www/html -d "vestasit.com,www.vestasit.com" --deploy-hook "/usr/local/lsws/bin/lswsctrl reload" --force-renewal
which I used just over two months ago, and the command you have provided:
That's an easy one.
The "sudo certbot certonly ..." command will literally only get the updated/renewed cert.
You have to do something to let the web server know about that change and take the necessary action to being using the new cert (usually a reload or restart).
Adding "--deploy-hook "/usr/local/lsws/bin/lswsctrl reload"" should take care of that part for you.
Which was previously seen as a "renew-hook"
But for whatever reason that did NOT work for you.
If not these things... then the moon is in the right place today/now - LOL
You don't have to wait 60 days to test this out.
I'll address that on the next post.
Looks like it worked to renew the cert and has been picked up by browsers. Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vestasit.com
http-01 challenge for www.vestasit.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: /usr/local/lsws/bin/lswsctrl reload
Output from lswsctrl:
[OK] Send SIGUSR1 to 24325
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vestasit.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vestasit.com/privkey.pem
Your cert will expire on 2021-05-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
So I'll check in 60 days and see if it auto renewed. I'll update this thread in 60 days either way.
You'll want to try the following to ensure that your renewal configuration is correct:
sudo certbot renew --dry-run
If that works, try the following ONLY ONCE:
sudo certbot renew --force-renewal
If that works, the only likely reason your renewal would not go smoothly in 60 days is if you don't have an automated task functioning to run the following (usually once per day):
That should cause a renewal attempt to occur every 3 minutes for testing purposes. The certificate will only actually renew if it will expire within 30 days.
For reference:
* * * * * command to be executed
- - - - -
| | | | |
| | | | ----- Day of week (0 - 7) (Sunday=0 or 7)
| | | ------- Month (1 - 12)
| | --------- Day of month (1 - 31)
| ----------- Hour (0 - 23)
------------- Minute (0 - 59)
We should be able to view a log of executions with this:
You only need the default (up to) "certbot -q renew" in the cron job.
All else is read from the renewal config file.
[which might explain why it wasn't doing things as expected]
Are you a glutton for (typing errors) punishment?
Just use:
*/3 in the minute field to do it every 3 minutes.
It resolves it like:
If [[absolute value of (current minute integer / 3)] * 3] = [current minute integer], then do it now.