I am using certbot/certbot running on docker to apply for Let's Encrypt ssl certificate. The day after applying for the certificate, I ran the renewal command and was told that there were no certificates available to renew, so I wondered: How many days will it take before I can run the renewal command? And if I use cron job to run the renewal once a week, will my request be blocked by certbot or Let's Encrypt because there are too many renewal requests and no domains to renew (I manage many domains so I need to renew continuously to avoid unintended expiration)
You can run certbot renew in a daily cronjob and it will manage only renewing certificates that are due for renewal.
There is a —force flag you can pass to renew certs early, so don’t use it unless you really want to hit some rate limits 
. You can request the same certificate (by renewing it) 5 times per week.
The full rate limit documentation is at Rate Limits - Let's Encrypt
4 Likes
So I can run the renew command (to renew all the domains I have) once a week without fear of being blocked from requests from certbot or Let's Encrypt, right?
And it seems that certbot will only send requests to Let's Encrypt if that domain is about to expire to avoid Let's Encrypt blocking the request, right?
That's a rather low frequency. Certbot by default, if a cronjob or something similar is installed, runs twice a day.
Correct, because:
Partly correct: Certbot will by default request the OCSP status of the certificate when running the renew subcommand. But that doesn't affect the rate limits of the ACME server, so that is not an issue at all. When there's nothing to renew, Certbot won't connect to the ACME API.
3 Likes
As far as I know, Let's Encrypt certificates are valid for 90 days, so what day can I renew my certificate? Is it 1 week or 1 month before the certificate expires?
you can choose whenever you need to but most clients use 2/3 of cert's lifetime for renewal so about a month before for current 90 days certificate
4 Likes
Currently I'm managing multiple certificates with different expiration dates so I'll run "renew" once a week to make sure none of them expire.
Thanks everyone !
1 Like
You should run certbot twice a day and it will only renew once a certificate needs to be renewed.
Maybe you missed that message:
"Will requesting to renew an SSL certificate too many times when it expires be blocked?"
No.
You should run the request to renew twice a day.
[it won't actually be renewed until it needs to be renewed]
5 Likes
I see what you mean, I find that renewing twice a day is not really necessary as each certificate is valid for 90 days so I find renewing once a week is enough for my certificate to expire.
You are missing the point.
Checking to renew is very little effort.
It usually just looks at the cert and looks at the clock and says "I have nothing to do now".
The time window for it to actually to try and renew is from day 60 to day 90 [30 days].
If you only check once a week, that's only five attempts to check for renewals [at best].
If you check twice a day [as recommended by LE and done by every ACME client as default], it would have sixty attempts to check for renewals.
Choose wisely: 5 or 60
7 Likes
Thank you for your enthusiastic support, I will run the extension twice a day as recommended.
2 Likes
@tdba, please close this topic by marking a post as the solution.
2 Likes
Done !
Thank you.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.