This command forcefully generates a new certificate without waiting for expiration and overwrites files in /etc/letsencrypt/live/example.domainx.com with a new certificate.
My main question is: if I place this command in a cron task to automate renewal every 2 months, is that sufficient? Do I actually need to use OVH's API for the permissions specified in my certbot certonly --dns-ovh --dns-ovh-credentials /root/.secrets/certbot/xxxxxx.ini command?
The mentioned permissions are as follows:
GET /domain/zone/*
PUT /domain/zone/*
POST /domain/zone/*
DELETE /domain/zone/*
Does the --force-renewal option in the certbot command alone suffice to handle automatic renewal without requiring the use of OVH's API?
Secondly, if it turns out I don't need OVH's API, since the --force-renewal option generates a new certificate with new dates, does that mean I'll never need to modify the TXT record in my DNS zone for my initial domain used to generate the certificate?
Thank you in advance for your advice and assistance!
That is a poor strategy. A cert request can fail for any number of reasons. You should not use --force-renew when getting the cert. Run certbot renew once or twice daily. It will renew if/when needed and running frequently will adapt to any temp problems.
Running certbot renew frequently is the best option to deal with CA revocations, temp outages, a future ARI protocol and other reasons.
The --force-renew is intended as a one-time option for unusual cases. Using it as a routine option often leads to problems like rate limits.
You may already have a cronjob or systemd timer after installing certbot. It is often setup as part of that install. See Certbot docs about this here
No, --force-renewal does not bypass the required cert validation. It only ignores the expiration date to allow renewal of a cert early. Apart from one-time use cases this is at best wasteful and at worst leads to rate limits.
Once you have used certbot certonly and received a certificate, it's fully managed by certbot. Run certbot certificates to see all the certificates that certbot is managing.
Once a certificate is managed by certbot, then you just want to run certbot renew a couple times a day, in order to have it check if it needs to be renewed and renew it if so. It uses the same settings as you used to acquire it in the first place if it needs to renew it. Most ways of installing certbot will set this up automatically. If you did something off the beaten path to install certbot and need to set this up yourself, then your cron job just needs to run certbot renew and that's it. And make sure to schedule it at a random time, if you join the crowd trying at 00:00 UTC it won't work nearly as well for anyone.
I'm not quite understanding your question. It will need access to your DNS provider's API the same way if that's how you got the certificate in the first place. The TXT record is only used when getting a certificate (either "new" or "renewal", they're really the same thing in terms of what needs to happen), and the DNS plugin for certbot should be adding the record when needed and removing it afterward automatically.