Renew cert manually

I'm trying to verify 'certbot renew' functionality. With current status of certificate, if run 'certbot renew' I get below output. Anyway I can adjust current certificate validity so I can confirm 'certbot renew' working as expected. Based on the validation, I will add cron job to update automatically. I can understand 'certbot renew' automatically update the cert but I would like to see it in action.

letsencrypt]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No renewals were attempted.


Thanks.

3 Likes

Welcome to this forum @rchidura

Yes, if you did not have certbot create a cron job or systemd timer for you then you should make one. Run a renew once or twice a day and it only takes action when the cert needs renewal. It looks at the number of days remaining in the /etc/letsencrypt/renewal conf file for the domain

You could add --dry-run to the renew command to force a refresh. It will not create certs but will check authentication.

Is there something specific you want to see "in action"?

4 Likes

Thank you Mike.

On my system, /etc/letsencrypt/renewal folder is created but no domain conf files. As I used a custom path, conf file exists in the custom path. I can add a cron job to run renew command but with my company requirements I have to run/test the renew instead of automatic renewal. I'm trying to see if I can modify any conf (where it stores the Cert create time) so 'certbot renew' can run successfully.

Thanks.

3 Likes

What shows?:
certbot certificates

2 Likes

I am not quite clear on your goal but the "cert create time" is stored in the certificate itself. The renewal conf file from certbot describes how it should do a renewal and when (the number of days remaining before expiry of the cert).

You could write a small program or script to get the x509 date info from the cert and decide when to re-do the command you used to create the cert. This would "renew" it. You could use same program to check the x509 date info after certbot ran to ensure it is "fresh". As Rudy noted, you can run certbot certificates to see the cert and pertinent date info. This would help visualize what you have if nothing else. I hope this was helpful.

3 Likes

This most likely refers to the Not Before field.

@rchidura

You could use this (very, very sparingly):

sudo certbot renew --force-renewal

That will confirm the renewal process itself. All that remains is to confirm that the cron job is put in place with proper permissions. That's easily done by adjusting the time to renewal setting in the renewal configuration file to like 89 days then looking at the logs.

2 Likes

certbot-internal]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certificates found.


1 Like

renewal conf file has 'renew_before_expiry' (renew_before_expiry = 30 days ) line but it is commented. Other lines are understandable.

1 Like

The certificate renew is not doing anything as you do not have any certificates created by certbot. You must first make a Let's Encrypt certificate with certbot before you can use the certbot renew feature. If you had a certificate, it has been deleted.

If you want help making a new certificate it would be helpful for us to know some answers:

Your domain name:
Your web server and version (apache, nginx, ...):
The operating system my web server runs on and version:
The version of certbot installed (use certbot --version)

Thank you

3 Likes