How does certbot decide the -000x suffix for certificate renewal

Bruce5051 · November 1, 2023, 5:24pm

Here is a link for assistance certbot — Certbot 2.7.0.dev0 documentation, which states:

  --force-renewal, --renew-by-default
                        If a certificate already exists for the requested
                        domains, renew it now, regardless of whether it is
                        near expiry. (Often --keep-until-expiring is more
                        appropriate). Also implies --expand. (default: False)

April · November 1, 2023, 6:21pm

The service was written by someone else about 4 years ago
I joined last month and now running into this

Osiris · November 1, 2023, 6:23pm

Personally, my first step would be to learn what every option does, but that's just me.

rg305 · November 1, 2023, 10:05pm

No.

If it was simply trying to "renew", it would not "create" anything "new".
Except for the weird case where you explicitly tell certbot to renew even when it can't validate all the names on the cert [see: --allow-subset-of-names].
When that happens, certbot will be forced into creating a new cert - because all the names are not being included in this new request.

As already mentioned, the best place to answer these types of questions is in the docs:
User Guide — Certbot 2.7.0.dev0 documentation (eff-certbot.readthedocs.io)

Osiris · November 2, 2023, 6:21am

I'm not so sure about that. As far as I know, it overwrites the existing certificate.

rg305 · November 2, 2023, 6:55pm

hmm...
That may be true.
[hard for me to say as I never use --allow-subset-of-names]

In any case, it would NOT do:

April · November 7, 2023, 6:01am

I didn't understand this. We are using certbot certonly command. When client requests for renewal, the option --force-renewal is appended to it.
So, you are saying that without --force-renewal , the suffix -0005 would be created ?
And if --force-renewal can't renew any cert due to broken links, it won't do anything, right ?

rg305 · November 7, 2023, 7:23am

I don't think --force-renewal is causing the -000x numbers.
It only speeds up the (broken) renewal process by forcing it to happen immediately [not at the next regular schedule].

Correct.

April · November 7, 2023, 7:57am

Thanks for clarifying this. So in my case certbot certonly would have created those suffixes when it found broken certificates.
I came across a similar thread and this one
What would be the behavior of certbot certonly if the certificate links aren't broken ?

orangepizza · November 7, 2023, 8:15am

you'd want certbot renew for renewals: certonly is for making new linage

April · November 7, 2023, 8:16am

The current service code is using certbot certonly and certbot certonly --force-renewal
I think it is not using certbot renew

rg305 · November 7, 2023, 8:17am

That is bad coding.
It is partly to blame for all the -000x certs.

Once a cert has been created, you only need to renew it, with:
certbot renew

Osiris · November 7, 2023, 8:46am

That should never have happened.

system · December 7, 2023, 8:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.