Certbot is a lifesaver when the user interface you use to renew certificates does not deliver anymore. Some servers of course come without any kind of control panel like cPanel of Virtualmin. In those cases, understanding the basic syntax of Certbot is a must. This guide gives some pointers but be warned even to the seasoned network administrator automated certificate renewals on a “non standard” server can be a complete nightmare.
For now, here are our list of favourites certbot commands:
List all Certificates Certbot Knows About
Try to renew all Certificates Certbot Knows About
The CRON required to renew all certificates every two months
If all is well with your Certbox installation, you should automatically have the following CRON:
[email protected]:/etc/cron.d# cat certbot # /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # # Eventually, this will be an opportunity to validate certificates # haven't been revoked, etc. Renewal will only occur if expiration # is within 30 days. # # Important Note! This cronjob will NOT be executed if you are # running systemd as your init system. If you are running systemd, # the cronjob.timer function takes precedence over this cronjob. For # more details, see the systemd.timer manpage, or use systemctl show # certbot.timer. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
certbot renew --force-renewal --cert-name mail.example.com
To Delete A Certbot Certificates
certbot delete --cert-name domain.com
Older CRON Information
Although certificates should be renewed around every two months, it’s better to check much more often, e.g. daily, to see if they can be renewed. Unfortunately the guidance provided by the official manual doesn’t seem to address the frequency so you’ll find 100s of different answers all over the internet.
This article was updated 13 April 2021 to include an improved CRON job schedule.
First find out which
certbot binary you use by doing this:
# which certbot /usr/bin/certbot
The reason is CRON works better when the full path is prepended to the binary.
Now do this:
0 */12 * * * /usr/bin/certbot renew