Multiple certs were not combined into one: will they auto-update?


#1

Continuing the discussion from Migrating WordPress with HTTPs Secured by LetsEncrypt to New Server:

A lot of things have come up in the above topic and I don’t blame anyone for not following it through 100% so I’m starting this as a new topic point because it seems like a fairly straightforward question: can I count on my certificates being automatically updated through this a weekly job that basically does letsencrypt renew (as described here even though they were strangely not combined into one certificate:


#2

certbot renew will try to renew every certificate that’s in need of renewal, regardless of how many there are. It’s designed to be run often (at least once per day) because it tries to renew only when renewal becomes necessary (<30 days to expiry).


#3

And that holds even when some of the certs were originally obtained via webroot and others via manual dns challenge?

That doesn’t make sense to me: if certs are renewed if time to expiry is less than 30 days, then 7 or even 9 days seems completely sufficient to make sure that they are renewed before they expire. If you had said that a daily check is better because the plan is to significantly reduce the duration of letsencrypt certs, then I would understand, but like this?


#4

Unfortunately, I believe certificates obtained with “manual” can’t be renewed by certbot renew at all. This might not be true with hooks, but I’ll have to double-check.

[quote]That doesn’t make sense to me: if certs are renewed if time to expiry is less than 30 days, then 7 or even 9 days seems completely sufficient to make sure that they are renewed before they expire. If you had said that a daily check is better because the plan is to significantly reduce the duration of letsencrypt certs, then I would understand, but like this?
[/quote]

This was an arbitrary decision to make sure that people would have a comfortable amount of time in which to respond to possible renewal failures, taking into account that people may be on holiday, may have taken over a job or responsibility from someone else, may require other people’s help to complete the renewal process, etc. We often get people asking here about certificates that are only a short time away from expiry, which is unfortunate because it increases everyone’s stress level unnecessarily. If the default renewal interval were higher, we would probably be getting even more questions from people who are in this situation.

You can change this interval with a setting called renew_before_expiry in /etc/letsencrypt/cli.ini if you think it’s too long.


Auto-renewal failing (perhaps because certs were not combined?)
#5

According to @jmorahan, it is possible:


#6

In that example @jmorahan is apparently suggesting switching an existing certificate lineage away from manual to a different plugin, rather than renewing while it still using manual.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.