Renewing my certificates

I have a few HTTPS certificates for a few domain names. I checked and they are set to renew with crontab. Today I found out that some of my websites are not working, I checked and some of the certificates expired in February 28 and were not renewed. I didn’t receive any email or notification about renewing the certificates but the websites just stopped working. For example for the domain and some other domain names.

The command I run for renewing these certificates are:
sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials /home/uri/.certbot/digitalocean.ini --domains <list of my domain names> ...

Also, why do I have to renew the certificates every 3 months? I prefer to renew them every one or two years.

what does journalctl | grep certbot say?

Security. Less chance of someone hijacking your key if it changes every 90 days. This is why the renewal process is supposed to be automated with cron.

You’re ordering new certificates with the certonly option. You should be using renew. Renew keeps your current certificates updated and changes the symlinks to point to the new certificates.
Certonly creates new “domain” directories & increments them by number.

You can see this in /etc/letsencrypt/live

Did you register with your email address? You get notifications if your Certbot agent is registered.

That’s not quite right: certonly only does this if you specify a different list of domains but it has a partial overlap with the previous list. If you specify all of the same domains as before, certonly will perform an ordinary renewal (updating symlinks).

It is still not the recommended way to renew—as you said, renew is the recommended way to renew.

Using certonly on an existing certificate can be correct if you want to modify the existing certificate’s coverage or force an early renewal in some circumstances.

Hmmm… It created new certs for me and did not update my existing symlinks. But I was on 0.31 at the time. Now I’m on 1.2 with CentOS8, so I probably can’t reproduce it.

It’s very common to get the -0001 behavior by accident, but it’s still caused by specifying a slightly different set of domain names than were specified the previous time, or by somehow corrupting /etc/letsencrypt in a way that confuses Certbot, not by the bare fact of having used certonly.

I get many error messages such as:

certbot.service: Failed to execute command: No such file or directory
certbot.service: Main process exited, code=exited, status=203/EXEC
certbot.service: Failed with result 'exit-code'.

I’m registered with my email address but I think I opted out. Can I opt in again? I received many irrelevant messages.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.