Renewal and Certificates deletion and installation


#1

I have 2 queries here…

  1. I got the ssl certificate 4days back, I need to know whether it is renewing properly, I ran cmd certbot dry run… I shows congrats certificate is renewed, but in the certificate, the expiration still the same… No improvements… Whether is there any limit on days for renewal…

  2. How can i cancel/ permanently delete the certificate with lets encrypt.

Thanks,


#2

Right. --dry-run gets fake certificates from the staging environment and doesn’t save them. It tests most aspects of renewal pretty well, but not all of them.

If you use --force-renewal, it will issue new certificates from the production environment and save them. Don’t do this too frequently. Especially don’t do it automatically. It’s wasteful, and Let’s Encrypt has rate limits.

Let’s Encrypt can issue more certificates without revalidating for a certain amount of time (currently 30 days, but this is not guaranteed). (Even if Certbot looks like it’s validating again.) It’s not easy bypass that within Certbot, so forcing an extremely early renewal may not actually test validating again, but it will exercise the other parts.

How much do you want to delete it? For what purpose?

The “certbot delete” command can delete your local certificate files.

The “certbot revoke” command can also revoke the certificate, which you need to do if it has been compromised or the domain is no longer yours, but you normally don’t need to do if you just want to stop using it. (Revoking a certificate will also stop Let’s Encrypt from sending you emails when it’s about to expire, but you can just ignore them.)

You can’t erase all evidence the certificate existed – they’re permanently archived in public Certificate Transparency logs, which can be searched on https://crt.sh/ and other websites.

(And deleting or revoking certificates doesn’t affect Let’s Encrypt’s rate limits.)


#3

Hi Matt,

Thanks a lot for your response, Your answers is clear…

But, What to do if I want to cancel the certification with Let’s encrypt and move for some others ssl certificate issuers for the same domain in worst case (I should not get the errors while accessing my domain in browser)…

Thanks,


#4

You don’t really have to cancel anything to switch to another CA.

You should obtain the new certificate, configure your software to use it, and then you can “certbot delete” – or, if you want, “certbot revoke” – the Let’s Encrypt certificate.

If you want, then you can uninstall Certbot.