I have researched about some cases but mostly cert was created by webroot plugin
Can I edit /opt/letsencrypt/examples/cli.ini then run script renew on it?
30 1 * * 1 /opt/letsencrypt/letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini >> /var/log/le-renew.log && service nginx restart
I split this off into a new thread because I don’t think it’s about the original thread’s topic.
@kazeuraki, it seems like your cron job has the problem that it’s missing the service nginx stop and service nginx restart. There is now a feature called --pre-hook and --post-hook for this; how about something like
The --renew-by-default version that you quoted at the bottom is kind is unfortunate because it will renew the certificate in question every week, which is more often than necessary.
To summarize a few points:
① If you’re using --standalone for your certificates, you typically want to service nginx stop and service nginx start before and after actually doing a renewal, because the standalone configurator will want to use the TCP ports that your web server was using.
② If you’re using letsencrypt-auto renew and similar forms, it decides for you whether or not to renew each individual certificate. This command can be run very frequently (it does not need to be run only once per week or only once per month). However, for renewing --standalone certificates, it still wants to stop and restart the web server, which can be done with --pre-hook and --post-hook. For other certificates, you will need some way to at least reload or graceful restart the web server configuration when a renewal happens (which could be done with --renew-hook).
③ If you’re using certonly --renew-by-default (which is now normally written as certonly --force-renew), it will try to renew the specified certificate at the time the command is run. If run very frequently, that can trigger Let’s Encrypt rate limits. The certonly subcommand acts only on a single specified certificate, not on multiple certificates. This is normally not recommended with cron jobs, although it’s theoretically possible to use it with them if you understand Certbot and cron well and are careful. For --standalone certificates, this would also still need a command to stop and restart the web server.
I hope that’s clear; there are a lot of details here.
Thank for your support.
① Did this command can renew all certs installed inside my VPS? or only one cert one time. My VPS install domainA and domainB and Let's Encrypt for each domain as well.
Follow your advice, i change my crontab to
I'm trying to avoid using it cause this will stop webserver whether certs are renewed or not. So, --pre-hook and --post-hook wil stop&start webserver only when need to renew certs.
③ Thank you for warning --renew-by-default. It will trigger rate limit (5 certs in 7 days). I will not use it anymore
Last but not least, THANK YOU SO MUCH