How to renew a specific certificate?


#1

I need to check expiration and renew a certain certificate (and subsequently execute a special --renew-hook associated with it). How to renew a specific certificate (not all those about to expire)? Thank you.


#2

You may use the certonly command for this, but you have to specify the exact set of domain names on the command line. You can list all certificates AND their included names with certbot certificates.

Then run certbot certonly -d domain1 [-d domain2 [-d domain3]]

Add your hooks to the command line as needed.

See https://certbot.eff.org/docs/using.html#renewing-certificates for further details.


#3

Originally this wasn’t possible with certbot renew and so the only option was the way that @bytecamp describes. I believe @erica’s change implementing --cert-name with certbot renew has been a part of Certbot since version 0.10.0. You can also use --cert-name to specify an individual certificate to renew.


#4

You can find the name of the certificate for the command @schoen mentions above with the command certbot certificates

Ah, that was also part of the post from @bytecamp I’m just seeing now… :stuck_out_tongue:


#5

Does renew with --cert-name have different
behavior with regard to saving hooks?

If not, the OP probably wants to use bytecamp’s method so their hook runs on future automatic renewals…


#6

Like if the hooks are specified on the renew command line?


#7

That’s what I meant, but I think I misread the OP. :flushed: They did seem to just want to execute their existing renew hook.


#8

Thank you very much all for the help. Based on suggestions above, I guess the command needed should look like this:

certbot renew --renew-hook "/opt/scripts/convert_cert.sh" --cert-name sub.domain.com

The bad thing is that I cannot test this for sure before the certificate reaches expiration, unless there’s a way to force renewal.


#9

use --force-renewal in this case :slight_smile:


#10

Tested, works great :slight_smile: Any idea how often it is recommended to attempt renewal? Every week, 5 days, 3 days? When does certbot treat a certificate as expiring soon? Before how many hours of expiry?


#11

certbot renew should be run twice a day, it just reissues certificates if they are due for renewal whatsoever. Never run a periodic job with --force-renewal, this flag is for corner cases only!


#12

By default, “certbot renew” renews certificates when they will expire in less than 30 days.

That can be adjusted, but there’s usually no reason to.