is it ok to run certbot with --force-renewal param every months?
I would like to know when the certs expires for example the last day of the months,
and I don't want to renew it 30 days before the expiry date.
Is this something that goes against the let's encrypt rules?
No, that is a bad idea.
You should really NEVER have to force a renewal.
Please explain that a bit more.
When do you want to renew it?
if you do that at best case it will get cert 60 days before expiration
It doesn't sound like it goes against the rules.
But I still don't quite fully understand exactly when you want the cert to renew?
On what schedule?
On the first day of every month?
Feel free to answer in any language.
It might not be illegal to do so, but it's certainly not "ok". It's simply wasteful and useless.
Let's Encrypt is meant to be automated. Just set up once, and forget about it. It should just renew on its own time and the user and system administrator shouldn't have anything to do about it. No manual renewals and especially no forced renewals.
Why would you even want to do so?
my intention is to schedule a cronjob in cron.monthly that does an automatic renew like this:
docker compose exec certbot certbot renew --force-renewal
I like to know when the cert is renewed (first day of the month for example) and I like to have more time to fix things if something isn't going to work...
this is for my smart home system running docker...
renewing the cert 30 days before the expiration is not enough for me because sometimes I'm far from my home for more than 30 days.
That's not an argument for too frequent forced renewals. Cronjobs can output an email if something went wrong.
And you don't have remote access to that system? 30 days should be MORE than enough.
What is the longest time away?
[assuming you don't have to remote administrative access]
You can run a similar command twice a day, removing
40 days more or less... I don't want to think at the Smart Home system when I'm away
but I want to know that all is working when I'm away.
Then make the automatic renewal period 45 days.
Running that cron every 30 days is a good way not to know if you have a valid certificate.
A renewal can fail for transient reasons beyond your control. Trying twice a day letting certbot decide if a renewal is warranted or not is the proper way to do this.
You don't want to wait another 30 days to retry.
You could also schedule obtaining a "test cert" [from staging] once a week.
And if that fails, it should email you.
change the automatic renewal period is what I would like to do but as far as I know it's not possible...
at the end, changing the renew period,
isn't the same thing as to force renew every 45 days?
The "result" may seem the same.
But, no, they are NOT the same thing.
Why would I even suggest doing something that is not possible?
I mean: Yes, of course it is!
User Guide — Certbot 2.7.0.dev0 documentation (eff-certbot.readthedocs.io)
I'm probably blind but I don't see any option in that doc that tell me how to configure the "renew time period",
I guess I'm just as blind!
[I was sure it was in there...somewhere]
Please show the renewal config file.
ok, found the file! thanks!!!!
just for reference for posters, the file is in the
"certbot/conf/renewal" folder... thanks!!!
That varies by operating system and the location can be overridden in the command line.