How to forcefully renew Let’s Encrypt certificate

last updated in Categories , , , , , , ,

Forcefully renew Let's Encrypt certificate for Nginx and Apache web server

How do I forcefully renew the Letsencrypt certificate on an Ubuntu, Debian, CentOS, RHEL, Fedora, or FreeBSD Unix systems?

As you know, Let’s Encrypt is a free, automated, and open certificate authority that one can use to issue TLS/SSL certificates for web servers, mail servers, and more. This page explains how to renew the Let’s Encrypt certificate forcefully on Linux, FreeBSD, and Unix-like systems using the CLI tools.

ADVERTISEMENTS


How to forcefully renew Let’s Encrypt certificate

In Linux and Unix, there are multiple ways to issue and renew the Letsencrypt TLS/SSL certificates. However, in this tutorial, we are going to use the two most popular command-line tools that you can use:

  1. We can always force cert renewal even if it is not near its expiration date.
  2. certbot – Request a new certificate using certbot renew --force-renewal command. We can specify domains using the -d option. For example, certbot -d cyberciti.biz,www.cyberciti.biz,test.cyberciti.biz --force-renewal
  3. acme.sh – Force to renew a cert immediately using the acme.sh -f -r -d www.cyberciti.biz

Let’s Encrypt certificate expiration notice

You might an an notice as follows for your domain:

Hello,

Your certificate (or certificates) for the names listed below will expire in 10 days (on 14 May 20 12:16 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

www.cyberciti.biz

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can’t provide support by email.

So let us see all other options, commands, and examples in detail for renewing certificates for our web server.

Renewing the LetsEncrypt certificate using the certbot

Certbot is the most popular tool for:

  • Automatically prove to the Let’s Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and renew it
  • Help you revoke the certificate if that ever becomes necessary
  • Renew the certificate forcefully if the need arises

The main aim for certbot command-line tool is to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. However, some times the renewal process fails for various reasons, and you need to issue the following manual command for forceful renewal:
certbot --force-renewal
certbot --force-renewal -d domain-name-1-here,domain-name-2-here
certbot --force-renewal -d www.nixcraft.com,nixcraft.com

See the certbot docs here for more info or use the following command :
certbot --help
certbot --help all
## filter out renewal option using the grep command/egrep command ##
certbot --help all | grep -i force
certbot --help all | egrep -i 'renewal|force'

How to renew a specific certificate using the acme.sh

The syntax is as follows:
acme.sh -f -r -d {your-domain-here}
acme.sh --force --renew --domain {your-domain-name-here}
acme.sh -f -r -d www.cyberciti.biz
acme.sh -f -r -d www.cyberciti.biz -d server1.cyberciti.biz

Renew LetsEncrypt Certificate on Linux or Unix Server
Where,

  • --renew OR -r : Renew a cert.
  • --domain OR -d : Specifies a domain, used to issue, renew or revoke etc.
  • --force OR -f : Used to force to install or force to renew a cert immediately.

Restart / reload your web server and service

Finally, restart the Nginx server or restart the Apache webserver for the changes to apply. In other words, you need to restart your web server so that clients can see renewed certificates:
sudo service nginx reload
## or ##
sudo service httpd reload
## Systemd GNU/Linux ##
sudo systemctl reload nginx.service
sudo systemctl reload httpd.service
sudo systemctl reload apache2.service

See the following for more info

Conclusion

In this tutorial, you learned how to renew Let’s Encrypt free SSL/TLS Certificates for Nginx or Apache web server running on Linux or Unix like systems.

ADVERTISEMENTS

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at www.nixcraft.com