Renewal By default


#1

I got a SSL certificate with the following command:

sudo ./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --renew-by-default -d *.hcx.global -d hcx.global

As can be seen, the --renew-by-default was set during generation of the certificate.

Now I am getting reminder mails stating that the certificate will expire in X days and that I should renew the certificate before then.

Does this need any manual intervention or will this renew by default ?


#2

From https://certbot.eff.org/docs/using.html
–force-renewal, –renew-by-default
If a certificate already exists for the requested domains, renew it now, regardless of whether it is near expiry. (Often --keep-until-expiring is more appropriate). Also implies --expand. (default: False)

So, if you mean will using --renew-by-default automatically setup a schedule for renewals?
That answer is no.
You will need some sort of cron job to run and do the renewals for you.
But since you also used manual and --preferred-challenges dns (which is unavoidable when obtaining wildcard certs), you will either have to rerun the process again manually or…
See if your DNS provider offers some sort of API that can be used to script the DNS update process and then use a hook to call that update when needed in order to remove the manual requirement.


#3

I am really sorry that we named that option --renew-by-default. In subsequent versions of Certbot it was renamed to --force-renew, but Certbot still accepts the old name, which is a confusing name.

The reasoning behind calling it --renew-by-default was that it would renew without asking in cases where it otherwise appeared inappropriate to renew the certificate. However, this still only applied to the individual time that Certbot was run and not to creating an automatic renewal process.