How to renew an expired LetsEncrypt cert?

I have generated a cert before, using

certbot certonly --manual --csr file-with-my-csr.txt

No issues there, it has been working perfectly, but now it has expired;

  • Do I need to
  1. generate a NEW CSR from my host, an run it thru the above command, or
  2. use the same CSR and run it thru the above command

More details below, not that it matters...

My domain is: Not relevant, general question on renewal

I ran this command: (previously, the first time around, as above.)

It produced this output:
0000_cert.pem, 0000_chain.pem, 0001_chain.pem;

My web server is (include version):
IIS on a shared host;

The operating system my web server runs on is (include version):
Windows 201? not relevant, probably the latest

My hosting provider, if applicable, is:
Not relevant

I can login to a root shell on my machine (yes or no, or I don't know):
No, don't be silly, it's a shared windows server host

I'm using a control panel to manage my site;
A customised one, provided by the host.

The version of my client is (e.g. output of certbot --version is 0.40.0

1 Like

No idea why you would have done it this way, but you can reuse the same CSR as many times as you like.


One of your next steps should be to automate the renewals. Feel free to ask for help (should you need any) once you have decided to do that (or with anything else related that presents you with any challenge).


No, I don't think it is possible to automate the renewal on a Windows server which I don't control (as stated in the rest of my post)

But back to my original question, do I get a new CSR or keep the same, that is the basic question I am asking.


If you can "somehow run certbot", then you do "control it" (enough).

You question has been answered.
But here it is again (in another way): There is no requirement to change a CSR.
So you are free to use it as many times as needed.
The only requirement is that it (still) contain the list or FQDNs that need to be on the new cert.
AND, I suppose, at some point in time (as with all things) the security/encryption of the CSR itself may become obsolete and may need to be redone.
[Like with SHA-1, SSL3, TLSv1, CRC, WEP, 3DES, MD5 (or any other outdated protocol). Time turns all secure things insecure]


I already answered this question.


@rg305 Yes, I can "somehow run certbot" but never said I am running it on the target server which I don't control; In fact I am running it on a linux machine, generating the certs on it, and pasting the certs manually on the target server.

But thanks for your input and @danb35; It will probably be easier to just generate a new CSR and use exactly the same command which worked before; (Because to renew using the same CSR I guess the certbot options are different, and probably that adventure will turn out to be another time sink).


No, they aren't; issuing using a CSR is issuing using a CSR.


I understand better now.
But you can still automate the Linux process.
certbot would know when the cert needs to be renewed and can do that part for you (using any automated method you can think of).
And it may also be configured to trigger a script to send you an email notification of such renewals.
So that you know when you need to copy paste the cert manually.


Ok @danb35, so the validity is tied to when the command is run (another way of saying it).


In short: If you got certbot to issue a cert using your own CSR even once, then you can do those exact same steps again (and again ...)
You should also be able to program those step(s) on a schedule.
Teach certbot and let it do the work for you :slight_smile:


More accurately, it's tied to when the certificate is issued, but those are pretty much the same thing.


Thanks @rg305, I got confused seeing here User Guide — Certbot 1.21.0 documentation that there is a

certbot renew

option, but if it makes no difference I will try now using the exact same command in my original post.


Thank you @danb35


Once you have issued a cert, certbot will learn how and remember those last settings (in the renewal config file).
It will also usually setup a cron job (or systemd timer) to automatically check all your certs for expiry.

Have a look at any file(s) in folder:

and the output of:
certbot certificates

and the output of:
crontab -l
systemctl list-timers | grep certbot


Thanks for the extra info @rg305, it will come in handy later, when I start running some linux servers.

Right now, my Windows host actually forces me to generate a new CSR, because they don't do renewals / extensions via their interface !


Then you haven't learned all the tricks for that system.
For instance, is there a ways to share a cert from one Windows server to another? (yes, of course)
But if they each make CSRs, their private keys are different and a single cert won't fit both requests.
So you can treat even a single server as the second server and process the CSR elsewhere.

EDIT: Sorry you have mentioned that you have very little access to the Windows server - I keep forgetting... I wonder if I'm getting old? LOL


Yes you are (just to rub it in); we all are...


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.