How do I renew a letsencrypt SSL certificate on fresh linux box using certbot?


#1

I have an SSL certificate issued by https://letsencrypt.org/ . It will be expiring tomorrow and I am having trouble renewing it. I have spun up a fresh linux box, installed certbot (as per https://letsencrypt.org/getting-started/ ) . I have the following saved in a local directory:

cert.pem
chain.pem
fullchain.pem
privkey.pem

Within the directory that contains the certificate I then run

/path/to/certbot/certbot-auto renew --dry-run --force-renew

certbot appears to not find the certificates as it then says

No renewals were attempted.

I have also run

/path/to/certbot/certbot-auto renew --force-renew

and get the same response.

Is there a way to renew certificates that are not stored in the expected /letsencrypt/archive/… folder as is the case for a fresh installation on a fresh box?


#2

Since you don’t have all the old /etc/letsencrypt files the easiest way is to just generate new certificates for the domain ( rather than the renew option, as it doesn’t know what to renew).


#3

Thank you for your response. Isn’t there any risk with generating all new certs rather than renewing them? I recall getting prompts on my phone / computer when certificates change.


#4

No, it’s no different than a “renew”.

Essentially all the “renew” command does is generate new certificates for you, so there is no difference. It’s just an easier way to automate things when you have several different domains that the “renew” flag will use the existing data of domain names etc to generate new certificates (if you have all that info stored, which you don’t on this server )


#5

indeed, the certbot renew command is only willing to attempt to renew things that are in the expected places in /etc/letsencrypt (with appropriate configuration file and symbolic link structure as created by the certbot or letsencrypt client). There is no way to ask certbot directly to make a new certificate based on an existing certificate PEM file outside of /etc/letsencrypt.

I agree with @serverco also that there is no harm in simply making a completely new certificate, because that’s ultimately what certbot is going to do in response to the renew command (including, right now, making a new private key!). There are some tools like Certificate Patrol that generate a warning when a site’s certificate or subject key changes, but currently certbot renew will cause that warning for users just as much as obtaining a completely separate certificate will, because the user-visible changes for a visitor to the website are the same.


#6

Okay, thank you @serverco and @schoen for your responses. I’ve deployed brand new certificates as recommended, and no prompts from my browser(s). Thank you again!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.