I received my first notification that my certificate needs to be renewed. Followed the link in it to https://letsencrypt.org/docs/integration-guide/. No instructions there on HOW to renew, only WHEN to renew. Searched this community. Could not find any instructions on how to renew. Searched the LetsEncrypt web site, could not find any instructions on how to renew.
What am I missing? Is there not a web page somewhere with step-by-step instructions?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Anyway, the original guide you’ve used to get and install the certificate should have a paragraph about renewing. For example, the official certbot instructions all have a paragraph called “Set up automatic renewal”.
The trouble for the renewal reminders is that there are dozens of different tools that can obtain and manage Let’s Encrypt certificates.
(There are also some others that are online-only or that are created or used by specific hosting providers and that aren’t listed there.)
Unfortunately, the reminder e-mail generator does not know which of these tools you’re using to manage your certificate, so it isn’t able to provide customized advice about exactly how to renew, since that process is different with each certificate management tool. The way that someone using acme.sh should renew a certificate is different from the way that someone using cPanel should do it, which is different from the way someone using Posh-ACME should do it, and so on.
@Osiris’s helpful point is that if you know how you originally obtained the certificate, you should be able to find associated renewal advice for that same software environment or method.
Let me suggest that if there are dozens of different tools that can obtain and manage Let’s Encypt certificates, an instructions page that has those very words on it would be extremely helpful! Not that I’m ungrateful that all this exists, but that alone would at least have helped me understand and realize that I need to figure out what tool I have installed and check its documentation. Icing on the cake would be a list of such tools.
It would be extra super wonderful if the people who wrote those tools (I realize that’s not what this forum is about) would point out that one should make a note of how one installed the certificates, so that when renewal rolls around, one will have a clue.
I’ll repeat – I’m grateful all of this exists and I realize it is mostly or entirely created and maintained by volunteers, so I understand why things are sometimes a bit less complete and friendly than in the for-profit software world (of course, the opposite is often true!).
@Osiris looking at a renewal notice I got recently, it also included this paragraph:
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
I’m not sure why that isn’t aligned with the version in git.
This is helpful feedback. I think we’ve always struggled with this kind of issue because we have such a broad user base (tens of millions of subscribers) with such different relationships both to system administration and to the Let’s Encrypt service itself. Some of them are professional system administrators who do this all the time as a core part of their day job, while others are web site owners who don’t even know what a certificate is (or that they had one) because their web hosts—or web development contractors—obtained the certificate for them.
If we include a lot of background information, it may annoy more experienced site administrators and make the reminders less useful to them, but if we assume a lot of background knowledge, it may confuse less experienced users and make the reminders less useful to them. (Note that most users probably never receive this reminder at all, because Let’s Encrypt is designed to be used with automated renewal processes, and a renewal reminder is only sent in cases where it appears this isn’t happening.)
One idea that I have that I’ll bring up with some of the people I work on things like this with is a “background” documentation link that would be included alongside, or perhaps instead of, the integration guide link. The “background” link would be mainly intended for people who don’t know, or don’t remember, how or why they got their certificates, and it would try to go over the issue that there isn’t one single renewal process independent of the details one’s hosting environment, as well as other related information. I think that would be more useful than the integration guide link to most people who receive this message, while not being particularly confusing or distracting to experienced users who are already familiar with some of that context.
I’m not sure if that page is the most logical choice? It’s probably very daunting for regular users while the page - as far as I know - is meant for sysops implementing Let’s Encrypt in a very broad system. It does have a " When to Renew" paragraph, but I think a page with “what is renewal, why do you need to renew and how can you renew” in laymans terms is a better option.