How to forcefully renew Let’s Encrypt certificate

Forcefully renew Let's Encrypt certificate for Nginx and Apache web server

How do I forcefully renew the Letsencrypt certificate on an Ubuntu, Debian, CentOS, RHEL, Fedora, or FreeBSD Unix systems?

As you know, Let’s Encrypt is a free, automated, and open certificate authority that one can use to issue TLS/SSL certificates for web servers, mail servers, and more. This page explains how to renew the Let’s Encrypt certificate forcefully on Linux, FreeBSD, and Unix-like systems using the CLI tools.

ADVERTISEMENTS

How to forcefully renew Let’s Encrypt certificate

In Linux and Unix, there are multiple ways to issue and renew the Letsencrypt TLS/SSL certificates. However, in this tutorial, we are going to use the two most popular command-line tools that you can use:

  1. We can always force cert renewal even if it is not near its expiration date.
  2. certbot – Request a new certificate using certbot renew --force-renewal command. We can specify domains using the -d option. For example, certbot -d cyberciti.biz,www.cyberciti.biz,test.cyberciti.biz --force-renewal
  3. acme.sh – Force to renew a cert immediately using the acme.sh -f -r -d www.cyberciti.biz

Let’s Encrypt certificate expiration notice

You might an an notice as follows for your domain:

Hello,

Your certificate (or certificates) for the names listed below will expire in 10 days (on 14 May 20 12:16 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

www.cyberciti.biz

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can’t provide support by email.

So let us see all other options, commands, and examples in detail for renewing certificates for our web server.

Renewing the LetsEncrypt certificate using the certbot

Certbot is the most popular tool for:

  • Automatically prove to the Let’s Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and renew it
  • Help you revoke the certificate if that ever becomes necessary
  • Renew the certificate forcefully if the need arises

The main aim for certbot command-line tool is to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. However, some times the renewal process fails for various reasons, and you need to issue the following manual command for forceful renewal:
certbot --force-renewal
certbot --force-renewal -d domain-name-1-here,domain-name-2-here
certbot --force-renewal -d www.nixcraft.com,nixcraft.com

See the certbot docs here for more info or use the following command :
certbot --help
certbot --help all
## filter out renewal option using the grep command/egrep command ##
certbot --help all | grep -i force
certbot --help all | egrep -i 'renewal|force'

How to renew a specific certificate using the acme.sh

The syntax is as follows:
acme.sh -f -r -d {your-domain-here}
acme.sh --force --renew --domain {your-domain-name-here}
acme.sh -f -r -d www.cyberciti.biz
acme.sh -f -r -d www.cyberciti.biz -d server1.cyberciti.biz

Renew LetsEncrypt Certificate on Linux or Unix Server
Where,

  • --renew OR -r : Renew a cert.
  • --domain OR -d : Specifies a domain, used to issue, renew or revoke etc.
  • --force OR -f : Used to force to install or force to renew a cert immediately.

Restart / reload your web server and service

Finally, restart the Nginx server or restart the Apache webserver for the changes to apply. In other words, you need to restart your web server so that clients can see renewed certificates:
sudo service nginx reload
## or ##
sudo service httpd reload
## Systemd GNU/Linux ##
sudo systemctl reload nginx.service
sudo systemctl reload httpd.service
sudo systemctl reload apache2.service

See the following for more info

Conclusion

In this tutorial, you learned how to renew Let’s Encrypt free SSL/TLS Certificates for Nginx or Apache web server running on Linux or Unix like systems.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
1 comment… add one
  • x_y_z Sep 6, 2020 @ 13:58

    RHEL (Red Hat Enterprise Linux) commands to renew Apache 2 web-server:

    sudo certbot certificates
    sudo systemctl stop apache2 
    sudo certbot-auto renew 
    sudo systemctl start apache2 
    sudo certbot certificates

    May work on CentOS too but never tested ;)

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.