Let's Encrypt: How to manually test the certbot renewal process?

Philipp Claßen picture Philipp Claßen · May 18, 2017 · Viewed 8.1k times · Source

I have a working setup where Let's Encrypt certificates are generated with certbot. I wonder how you effectively test whether the renewal will work in production.

The certificates last for 90 days. Is there a way to reduce the lifespan to, for instance, 10 minutes, to see if the renewal works? (Using the staging system for that is fine.)

If you have an alternative approach how to make sure that your renewal code works (without having to wait for 90 days), it would also be appreciated.

Answer

Greg Schmit picture Greg Schmit · Sep 25, 2018

You use the --dry-run option. E.g.:

$ sudo certbot renew --dry-run

From certbot -h:

certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

...

--dry-run Test "renew" or "certonly" without saving any certificates to disk

This ensures that the certbot can validate your domain with your current configuration.

If you really want to save the certificates to disk and see if your system is using the new cert, then you can also use the --force-renewal option. In that case, you should visit your website and check that the active certificate is the new one. If it isn't, you likely need to adjust your cronjob to restart your web server. E.g.:

certbot renew && service apache24 restart