Early renewal for bncert (bitnami)


I applied "sudo /opt/bitnami/bncert-tool" for automatic renew.

If I also need to renew my certificate, what should I do?

I am using the bncert tool to manage the certs and it will not allow me to renew as the cert was issued 6 weeks ago.

1 Like

On AWS I'm using sudo /opt/bitnami/bncert-tool, but it does not update the certificate dates. Anyone have a lead on forcing renewal?


I am using LetsEncrypt on Amazon Lightsail (certificate issued using sudo /opt/bitnami/bncert-tool), will I be required to renew it manually or will it be automatic once the other gets removed?

I am not familiar with bn-cert but most ACME clients are not capable of renewing a certificate when the active one is revoked. You will need to manually renew your certificate before the revocation deadline to ensure an uninterrupted experience for your site visitors.


I found something on cyberciti.biz that suggests using "sudo certbot renew"

That indeed seems to update the certificate dates, but checking on various SSL sites and the Firefox plugin the old dates are still shown. Is it usual for there to be a propagation delay for certificates?

Try this site for certbot use: https://www.cyberciti.biz/faq/how-to-forcefully-renew-lets-encrypt-certificate/

Basically, the easiest approach is "sudo certbot renew"

If that doesn't work, try "sudo certbot renew --force-renewal"

I am not sure what client lightsail/ bitnami/AWS use. It might depend on each user’s installation guide. I am glad this worked for you!

If your renewal was successful and the certificate was updated on disk, then you probably need to reload your webserver to start using the certificate.


The issue is that the cert cannot be renewed because the renewal date has not been reached.

Yes, this will be true for many certificates affected by the TLS-ALPN-01 issue. Most clients set the renewal period to attempt renewal beginning at 30 days before expiry and if your certificate doesn’t meet that won’t requirement it won’t renew and utilize Let’s Encrypt resources unnecessarily. However, clients often have a flag or configuration option to change that and “force renew”. For certbot the command line argument is --force-renewal


This worked for me for my lightsail instance in AWS. See steps for " Renew a Let's Encrypt certificate installed using bncert-tool or Lego tool":


Thanks for your help.

If I registered for the domains like example.com, www.example.com

Then should I put "example.com, www.example.com" in "EMAIL-ADDRESS"?


yes this works for users who used /opt/bitnami/bncert-tool! Worked for my bitnami wordpress ec2 instance. (not lightsail) The dates were updated :+1:
Thank you


Thank you so much for posting this documentation.

1 Like

you only need to provide the root domain (i.e. example.com)

worked for me as well.

Hallo! Is there a procedure to do it starting from bitnami in Amazon AWS? Thanks a lot!

1 Like

Thanks for your reply!

One more last question...

After using those commend to renew, will it be automatically renewed as like before?

1 Like

Yes. Note the renew --days 90 flag at the end of the command below.

sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90

Ensure the renew --days 90 is lowered (to normal), or removed from the command, after this one-time reissuance.
[or it will be trying to reissue all certs each and every day]