Operations

How to Verify Whether Certbot Can Renew a Let's Encrypt Certificate Successfully

A quick way to confirm whether Certbot automatic renewal will work before the certificate really expires.

After using Certbot to issue a free Let’s Encrypt certificate, the most important follow-up question is whether automatic renewal will work.

Let’s Encrypt certificates are valid for a limited time. If renewal fails silently, HTTPS may break after the certificate expires. Certbot provides a dry-run mode that can simulate the renewal process without replacing the real certificate.

Use Certbot Dry Run

Run:

1

certbot renew --dry-run

This command asks Certbot to simulate certificate renewal. It checks whether the current account, domain validation method, web server integration and renewal configuration can still complete the process.

If the command succeeds, Certbot prints a success message similar to:

1

Congratulations, all simulated renewals succeeded

That means the renewal workflow is currently valid.

What Dry Run Checks

The dry run does not simply check the certificate file. It also verifies the renewal path:

  • whether the domain can still be validated;
  • whether the web server configuration allows the validation challenge;
  • whether Certbot can read the existing renewal configuration;
  • whether the certificate account and plugins are available;
  • whether the deploy/reload hooks can run.

This makes it more useful than only checking the certificate expiration date.

Common Failure Causes

If certbot renew --dry-run fails, common causes include:

  • the domain no longer points to the server;
  • port 80 or 443 is blocked;
  • Nginx or Apache configuration changed;
  • the webroot path no longer matches the renewal configuration;
  • firewall rules block Let’s Encrypt validation;
  • the Certbot plugin used during issuance is missing;
  • deploy hooks or reload commands fail.

Fix the error reported by Certbot, then run the dry run again.

Check The Renewal Timer

On systems using systemd, Certbot usually installs a timer:

1

systemctl status certbot.timer

You can list scheduled timers with:

1

systemctl list-timers | grep certbot

If the timer is active and dry-run renewal succeeds, automatic renewal should work normally.

Summary

To verify whether Certbot can renew a Let’s Encrypt certificate, the most direct command is:

1

certbot renew --dry-run

Run it after changing web server configuration, firewall rules, domain DNS or Certbot plugins. This simple check can prevent an expired certificate from breaking HTTPS unexpectedly.

© 2022 - 2026 KnightLi Blog
记录并分享
Built with Hugo
Theme Stack designed by Jimmy