Certonly --force-renewal

56629 · May 30, 2026, 10:37pm

When should you use certonly --force-renewal?

How does it work? My manual-auth-hook and manual-cleanup-hook scripts aren't getting called but I thought they would.

MikeMcQ · May 30, 2026, 10:58pm

Almost never. It used to be more helpful before the reconfigure command was created.

What if you run certbot renew --dry-run

You should be using --dry-run instead of production anyway when testing your hooks.

Let's Encrypt caches authorizations and I believe Certbot only calls those hooks when a new auth is needed. See the LE docs about profiles for the cache duration: Profiles - Let's Encrypt

The --dry-run will deactivate prior valid auths so new ones are then needed

56629 · May 31, 2026, 7:03pm

When should I use --test-cert alone or with --dry-run?

MikeMcQ · May 31, 2026, 7:29pm

--dry-run will deactivate prior auths. --test-cert will not. If used, you use just one of them.

They both use the Let's Encrypt Staging system

--test-cert will save the cert acquired from LE. --dry-run will not

When --test-cert is used interactively I believe Certbot will ask before clobbering a production cert. But, don't hold me to that I didn't verify current behavior. I don't recall you mentioning which version of Certbot you use so couldn't have commented on that anyway.

If you are not current, you should upgrade

Topic		Replies	Views
How to test renew hooks? Help	2	5507	January 8, 2020
How can run certbot only for a test? Server	4	12253	May 10, 2019
Testing renew-hooks Client dev	3	3455	May 4, 2017
Certificates can be updated even with a nonsensical manual-auth-hook script Help	4	1305	August 7, 2020
--dry-run fails while live renewal succeeds Help	8	602	August 17, 2023

Certonly --force-renewal

Related topics