Renewing certificates with certonly


#1

So, I had to renew my certificate for the first time today… All went well, I think. My only question is: if I renew using ./letsencrypt-auto certonly do I have to update my certificate details as well? I’m new to all this SSL stuff. Thanks!


#2

Read: THIS


#3

###Renewing a Certificate
To renew a certificate, simply run letsencrypt again providing the same values when prompted. Let’s Encrypt is working hard to fully automate this process and we apologize for the inconvenience until this functionality is ready.

That doesn’t answer my question.
Because I’m not running Debian, ./letsencrypt-auto --apache doesn’t work and I have to do ./letsencrypt-auto certonly, if I’m understanding it right.


#4

You already quoted the right passage :wink:
if you read it carefully, you will notice that it doesn’t require you to have a debian based system or something like that. Simply repeat the command you did to get your current certificate.


#5

So I ran certonly again. That’s it? I don’t need to install the certificate? Or did the certificate not change?


#6

Your question is a bit tricky to answer since I can’t know how you configured your services that use the certificate. If you didn’t do some weird or stupid stuff you are done :stuck_out_tongue:

Read the User Guide for a more detailed answer :wink: (especially the “where are certificates” section)


#7

It depends on how you ran the command. Check the /etc/letsencrypt/live directory and look at the links and the dates of the files. If you ran “renew-by-default”, it force-renewed them. If you used “keep”, then it will renew them once they have 30 or less days left before expiration.

If you’re using the links in the live directory and not having to do any manipulation for other services - like combining the key and certificate chain to a single file - then simply restarting the service using the certificates will cause the files to be reloaded. If they have changed, the new contents will be read.


#8

Thank you. That’s the answer I was looking for!


#9

This approach fails when many certs require updating, as user is prompted about keeping outdated cert or renewing.

Imagine having to type “2” to renew for 1000s of domains. Ugly…

The -non-interactive flag for this operation is badly broken also. When -n used, no action is taken + incorrect message is returned…

Certificate not yet due for renewal; no action taken.

Please update this thread with how to update many certs with no interactive interaction using certonly, as trying to use the renew command fails in all sorts of ways + is unusable.


#10

@davidfavor, as someone has pointed out in another thread, the --force-renewal flag will cause renewal to be attempted immediately, which is what you wanted in most cases. It would definitely be an improvement for the client to have a clearer way to refer to individual certificate lineages (in case you had 400 certificates and wanted to force renewal of 100 of those but not the other 300).

(While specifying the exact names via -d will allow you to pick a particular certificate lineage to be renewed, this doesn’t work when you have installed certificates with certain kinds of overlap in their name coverage.)