Reputation: 43969
Let's Encrypt: How to manually test the certbot renewal process?
I have a working setup where Let's Encrypt certificates are generated with certbot. I wonder how you effectively test whether the renewal will work in production.
The certificates last for 90 days. Is there a way to reduce the lifespan to, for instance, 10 minutes, to see if the renewal works? (Using the staging system for that is fine.)
If you have an alternative approach how to make sure that your renewal code works (without having to wait for 90 days), it would also be appreciated.
Upvotes: 19
Views: 32113
Answers (4)
Reputation: 1932
If this is to test the renewal process, it is worth noting using the --test-cert flag uses a different letencrypt server and will not be counted against your limit. Of course, the generated certs are invalid. But it will test the renewal process.
--test-cert, --staging
Use the Let's Encrypt staging server to obtain or
revoke test (invalid) certificates; equivalent to
--server https://acme-
staging-v02.api.letsencrypt.org/directory (default:
False)
Upvotes: 0
Reputation: 6944
It's worth noting that renew doesn't like working in conjunction with domain-specific renewals, as per (certbot v1.22.0):
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the
certonlycommand instead. The renew verb may provide other options for selecting certificates to renew in the future.
Taking this into account, you might want to consider using the following command:
certbot certonly --dry-run -d my.domain.com
References:
- Renewing certificates (Certbot docs) - One of the last paragraphs goes into this domain-specific behaviour
Upvotes: 2
Reputation: 4574
You use the --dry-run option. E.g.:
$ sudo certbot renew --dry-run
From certbot -h:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
...
--dry-run Test "renew" or "certonly" without saving any certificates to disk
This ensures that the certbot can validate your domain with your current configuration.
If you really want to save the certificates to disk and see if your system is using the new cert, then you can also use the --force-renewal option. In that case, you should visit your website and check that the active certificate is the new one. If it isn't, you likely need to adjust your cronjob to restart your web server. E.g.:
certbot renew && service apache24 restart
Upvotes: 27
Reputation: 192
You can use "certbot renew --force-renewal"
https://certbot.eff.org/docs/using.html#configuration-file
--force-renewal, --renew-by-default
If a certificate already exists for the requested domains, renew it now, regardless of whether it is near expiry. (Often --keep-until-expiring is more appropriate). Also implies --expand. (default: False)
Upvotes: 6
Related Questions
- How do I schedule the Let's Encrypt certbot to automatically renew my certificate in cron?
- Renew manually Let's Encrypt SSL certificate
- How to renew only one domain with certbot?
- How to do auto-renewal of TLS certificates with certbot?
- Let's encrypt certbot on AWS Linux
- Let's Encrypt via certbot on Shared Linux Server
- auto-renew certbot with Cloudflare
- Lets Encrypt: repair broken certificate with certbot
- letsencrypt certbot broken
- renewal of letsencrypt certificate fails