Force challange request always for test

Hi ..

I ran this command using ansible to create request and receive certificate

cmd: "{{ certbot_script }} certonly {{ certbot_staging }} \
          {{ renew_certificate|default() }}
          --standalone \
          --noninteractive \
          --agree-tos \
          --preferred-challenges http \
          --email {{ certbot_admin_email }} \
          --rsa-key-size {{ certbot_rsa_bits }}
          --http-01-address \
          --http-01-port={{ certbot_port }} -d {{ cert_item }}"

It produced this output:
Congratulations you receive certificate.

My web server is (include version):

we not use webserver. we use haproxy to send request to cerbot backend wich is installed in same haproxy server, so we run using standalone to do cerbot start webserver it self

The operating system my web server runs on is (include version):

CentOS 8

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don't know):


I'm using a control panel to manage my site (no, or provide the name and version of the control panel):


The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


Question: Is possible "force lets encrypt do the challange in http-01" every time we test request using --force-renewal ?
because we see this behavior

1- cerbot first time get certificate (we need to do this process many time meanwhile developing the ansible role using --staging api of course) but
2- when cerbot run again using --force-renewal we see certbot never start again standalone server it self to do the challange.. is like "download from lets encrypt the already certificate" wich is fine in this case
3- we revoke the test certificate and everything about it is deleted on server.
4- Re-run again... and download the certificate... not start again standalone server it self

we need make test configurations using other loadbalances and send traffic to certbot backend for the challange http-01 but can't do it.

we won't create many records test1,2,3,4, to see only 1st time the challange everytime we need to test it.

thanks in advance


The --dry-run flag will achieve this. One of its side effects is to ensure that fresh challenges are performed every time.

Of course, --dry-run will not save any certificates to disk. If necessary, you can do a --dry-run followed by a --staging run. The first command will guarantee the challenge works, and the second run will save the certificate. Not elegant, but it should work.

We originally considered having a separate --deactivate-authorizations flag but it didn't make the cut. It would have been useful for you, but probably not useful enough for everyone.


Note that --force-renewal is not necessary when using --dry-run. Please don't use --force-renewal on the production servers.


@_az @Osiris

Thanks for your quick answer.....

--dry-run is fine.. i test it and yes.. works! now we can test other load balancers

but i have other question about this option..

1st time i get it the certificate.... but --dry-run how works exacly?

create certificate and then certbot not save it into disks?.... or
SIMULATE a certificate and not save to the disks... or
you need create certificate and save it at least once to TEST AFTER using --dry-run ??

I mean if I invented any certificate NEW never exists... ---dry-run create a certificate on let's encrypt server side?


--dry-run does create a certificate on the server side, yes. In that respect, it is not simulated.

What happens is that Certbot discards the certificate, instead of saving it to disk.

Thje reason I suggested to do a --staging run after a --dry-run, is in case you actually needed a test certificate on disk, to complete your integration/end-to-end testing. If you don't need a certificate on disk for that purpose, then you can just do a --dry-run.


ok thanks... :+1:


Please please please replace that step in your process.
Revoking a certificate is not the way to delete a cert once it is no longer needed.

Revoking a cert because it has the side-effect that it also deletes the cert is very bad practice.
If you want a cert deleted, then just delete the cert:
certbot delete --cert-name {the-unneeded-cert-name}


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.