Certbot Renew options


We have a large number of certificates installed (over 5000) and I was wondering if there was any way to renew certificates in date of expiry order rather than alphabetical. For example, if I was to run certbot renew now, it will start renewing certicates that still have 25 days left (starting with letter A) but we also have some that are expiring next week (starting with letter N).

Also, a command line option to set the number of days from 30 to X might be useful, so we could run certbot renew and only process certificates which expire in the next 7 days.

We currently sort certicates in renewal order and run them manually. Please excuse me if it is possible to this already but I could not find anything in the documentation.

Thank you.

1 Like

@DSZaf Welcome to the community! Congrats on the 5000 certs.

A certbot renew already does what you ask, I think. It looks at each conf file in /etc/letsencrypt/renewal. If the cert it describes is "fresh enough" then nothing is done. Only when a cert is expiring within 30 days is a fresh cert requested.

The 30 days is the default and, no, there is no command line option for it. But, there is a setting in the renewal conf if you wish to change it. Look in any of your renewal conf files for a commented out line for renew_before_expiry

Given what you describe I am not sure how some of your certs would expire next week but others later than that. In any event, running certbot renew daily should keep all your certs fresh.

It seems like I must be missing something important about your request. I hope I have not just told you what you already know. Here is the page of the docs which describe what I just said:

Update: There is a --cert-name option for selecting single certs to renew. Combined with -dry-run is a nice way to test changes. Example:
sudo certbot renew --cert-name example.com --dry-run


Thanks for the quick response. Did a mass edit of all config files to 7 days and it looks good.



I think this might be quite important. If certbot is run twice a day, I think it's highly unlikely that suddenly 5000 certs require renewal. So I'm curious how your renewal process is set up.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.