Does certbot-auto connect when renewing certificate?


#1

I want to make sure that certbot is always on top of renewing my Let’s Encrypt SSL certifcates. However, I don’t want my server to hog up someone else’s server’s bandwidth. So, I want my server’s crontab to check the SSL certificates for renewal every 1-5 minutes.

But, I want to make sure that doing this won’t send an extrernal request to someone else’ s server (like let’s encrypt certificate authority, or whatever) every 1-5 minutes. Will it? I don’t mind if it sends a request if it’s to renew the cert because it’s time.

Here’s the command that I am going to have ran every 1-5 minutes:
"./certbot-auto renew --quiet --no-self-upgrade --apache"


#2

Hi @Eliter, Certbot doesn’t need to ask the CA in order to know whether it’s time to renew, because the expiry time of the certificate is present inside the certificate itself. The default behavior of certbot renew will look at the expiry time of each installed certificate and only try to renew if a certificate is less than 30 days from expiry.

So, it only makes network connections when actually trying to renew, and only tries to renew when it needs to. In conclusion, there shouldn’t be any reason that you can’t run it every 1-5 minutes as you propose.

If you have a very large number of certificates (I’d imagine thousands or tens of thousands) it might not manage to finish checking all of them within the 1-5 minute window and then you might have a problem with larger and larger numbers of certbot processes running in parallel. But for a typical site with only a handful of certificates, this problem isn’t likely to arise.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.