Check renew configuration



I created my certificat with a

./letsencrypt-auto certonly --manual --email --server --preferred-challenges dns -d *

My certificate works fine.

In the script output I have

To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew"

When I try to execute it I have

/etc/letsencrypt/live/ expires on 2018-08-16 (skipped)

Ok, it’s legit but I would like to check now that all will good on time.

Is a way to check the configuration now ?



The --dry-run option exists mainly for this purpose. It will attempt renewal early and use the staging server instead of the production server.

If you want to force the renewal to happen earlier, you can change the renewal period in /etc/letsencrypt/renewal/ (the built-in default is 30 days before expiry, which is in a commented-out setting which you can change to whatever you want, although if you permanently set it higher than 83 days you’re likely to run into problems with Let’s Encrypt rate limits).

You can also perform a single renewal with the option --force-renewal. Running certbot renew --force-renewal will renew all installed certificates using the same methods that certbot renew would have used when it decided that it was time to renew. If you have multiple certificates related to the same domain, or if you run several forced renewals in a row, you’ll eventually be stopped by rate limits. But just one for a single certificate shouldn’t cause any problems.

I used certbot in my descriptions of commands, but this is referring to the same software as letsencrypt-auto, which is the old name for certbot-auto.


Please show the script command.


This is the ./letsencrypt-auto call in my original post


Thanks a lot for the answer

My goal is to execute a command from Ansible to renew the certificate. So I would like to renew it whith a single command line.

I updated the /etc/letsencrypt/renewal/ file.

./letsencrypt-auto renew --force-renewal --standalone --preferred-challenges dns

But I have the following error:

Attempting to renew cert produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

Is a way to renew the server certificates from a single command line ?



Standalone mode only supports the HTTP challenge (and formerly TLS-SNI, which is now disabled). It doesn’t support the DNS challenge.

You either need to use --manual with a validation hook that implements DNS updates for your domain’s DNS host or use one of the available DNS plugins online. Which one will depend on who your domain’s DNS host is.