Letsencrypt on KnightLi Blog https://www.knightli.com/en/tags/letsencrypt/ Recent content in Letsencrypt on KnightLi Blog Hugo -- gohugo.io en Thu, 08 Dec 2022 00:00:00 +0000 How to Verify Whether Certbot Can Renew a Let's Encrypt Certificate Successfully https://www.knightli.com/en/2022/12/08/certbot-renewal-dry-run/ Thu, 08 Dec 2022 00:00:00 +0000 https://www.knightli.com/en/2022/12/08/certbot-renewal-dry-run/ <p>After using Certbot to issue a free Let&rsquo;s Encrypt certificate, the most important follow-up question is whether automatic renewal will work.</p> <p>Let&rsquo;s Encrypt certificates are valid for a limited time. If renewal fails silently, HTTPS may break after the certificate expires. Certbot provides a dry-run mode that can simulate the renewal process without replacing the real certificate.</p> <h2 id="use-certbot-dry-run">Use Certbot Dry Run </h2><p>Run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certbot renew --dry-run </span></span></code></pre></td></tr></table> </div> </div><p>This command asks Certbot to simulate certificate renewal. It checks whether the current account, domain validation method, web server integration and renewal configuration can still complete the process.</p> <p>If the command succeeds, Certbot prints a success message similar to:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Congratulations, all simulated renewals succeeded </span></span></code></pre></td></tr></table> </div> </div><p>That means the renewal workflow is currently valid.</p> <h2 id="what-dry-run-checks">What Dry Run Checks </h2><p>The dry run does not simply check the certificate file. It also verifies the renewal path:</p> <ul> <li>whether the domain can still be validated;</li> <li>whether the web server configuration allows the validation challenge;</li> <li>whether Certbot can read the existing renewal configuration;</li> <li>whether the certificate account and plugins are available;</li> <li>whether the deploy/reload hooks can run.</li> </ul> <p>This makes it more useful than only checking the certificate expiration date.</p> <h2 id="common-failure-causes">Common Failure Causes </h2><p>If <code>certbot renew --dry-run</code> fails, common causes include:</p> <ul> <li>the domain no longer points to the server;</li> <li>port 80 or 443 is blocked;</li> <li>Nginx or Apache configuration changed;</li> <li>the webroot path no longer matches the renewal configuration;</li> <li>firewall rules block Let&rsquo;s Encrypt validation;</li> <li>the Certbot plugin used during issuance is missing;</li> <li>deploy hooks or reload commands fail.</li> </ul> <p>Fix the error reported by Certbot, then run the dry run again.</p> <h2 id="check-the-renewal-timer">Check The Renewal Timer </h2><p>On systems using systemd, Certbot usually installs a timer:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">systemctl status certbot.timer </span></span></code></pre></td></tr></table> </div> </div><p>You can list scheduled timers with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">systemctl list-timers <span class="p">|</span> grep certbot </span></span></code></pre></td></tr></table> </div> </div><p>If the timer is active and dry-run renewal succeeds, automatic renewal should work normally.</p> <h2 id="summary">Summary </h2><p>To verify whether Certbot can renew a Let&rsquo;s Encrypt certificate, the most direct command is:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certbot renew --dry-run </span></span></code></pre></td></tr></table> </div> </div><p>Run it after changing web server configuration, firewall rules, domain DNS or Certbot plugins. This simple check can prevent an expired certificate from breaking HTTPS unexpectedly.</p>