I need to check expiration and renew a certain certificate (and subsequently execute a special --renew-hook
associated with it). How to renew a specific certificate (not all those about to expire)? Thank you.
You may use the certonly command for this, but you have to specify the exact set of domain names on the command line. You can list all certificates AND their included names with certbot certificates
.
Then run certbot certonly -d domain1 [-d domain2 [-d domain3]]
Add your hooks to the command line as needed.
See https://certbot.eff.org/docs/using.html#renewing-certificates for further details.
Originally this wasn’t possible with certbot renew
and so the only option was the way that @bytecamp describes. I believe @erica’s change implementing --cert-name
with certbot renew
has been a part of Certbot since version 0.10.0. You can also use --cert-name
to specify an individual certificate to renew.
You can find the name of the certificate for the command @schoen mentions above with the command certbot certificates
Ah, that was also part of the post from @bytecamp I’m just seeing now…
Does renew
with --cert-name
have different
behavior with regard to saving hooks?
If not, the OP probably wants to use bytecamp’s method so their hook runs on future automatic renewals…
Like if the hooks are specified on the renew
command line?
That’s what I meant, but I think I misread the OP. They did seem to just want to execute their existing renew hook.
Thank you very much all for the help. Based on suggestions above, I guess the command needed should look like this:
certbot renew --renew-hook "/opt/scripts/convert_cert.sh" --cert-name sub.domain.com
The bad thing is that I cannot test this for sure before the certificate reaches expiration, unless there’s a way to force renewal.
use --force-renewal
in this case
Tested, works great Any idea how often it is recommended to attempt renewal? Every week, 5 days, 3 days? When does certbot treat a certificate as expiring soon? Before how many hours of expiry?
certbot renew
should be run twice a day, it just reissues certificates if they are due for renewal whatsoever. Never run a periodic job with --force-renewal
, this flag is for corner cases only!
By default, "certbot renew
" renews certificates when they will expire in less than 30 days.
That can be adjusted, but there's usually no reason to.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.