Renew --dry-run

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: renew --dry-run

It produced this output: No simulated renewals were attempted.

My web server is (include version): apache2

The operating system my web server runs on is (include version): debian 11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

I got an email proposing to renew my certificate although it expires in 4 weeks. As I'm a newbie to LetsEcnrypt-Certificates, I tried the "renew dry-run" with the result above. What does that result mean? Could I now start a renew (without dry-run)?


Hi @fmartin, and welcome to the LE community forum :slight_smile:

I'm guessing that you either didn't read the email thoroughly OR you didn't quite understand it.

Please show the output of:
certbot certificates


Sorry, here is the output of "certbot certificates":

No certificates found.

That makes me wonder regarding the mail I received two days ago:

Your certificate (or certificates) for the names listed below will expire in 19 days (on 2023-08-28). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.


My crystal ball tells me:

  • You now have a certificate for a slightly different set of names, so while the certificate with those two names is expiring, it may be that they're using a different certificate now and so that there's nothing to worry about.
  • You're using some software other than certbot to manage them. (Or alternatively, you're using the certbot on a different machine than the one that you're running that command on.)

But it's hard for people here to know more about your systems than you do, so those are just guesses. (Though many here are amazingly good at helping people by piecing together information from what is public.)


That cert with the ...-intra... name is expiring in 18 days and was the reason for the warning email from Let's Encrypt

The question is whether you need it or not.

You got later certs with the other name in the 'intra' cert so did those obsolete that one?

If not, then something has gone wrong with your renewal and that certbot has no record of any cert says you either wiped out certbot or never used certbot to get these certs.

Further, while you have both A and AAAA records in your DNS for that 'intra' name, the IPv4 connects to Apache but IPv6 times out.

Your recent cert history


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.