I am trying to use Certbot to allow for semi-automated certificate updates. I don't want fully-automated updates to avoid automatic certificate replacements that could interrupt business and ensure that a sentient administrator is available when the update is actually done to handle potentially negative consequences. Therefore I need to be able to find out if a certificate is due for renewal in a separate step from issuing the actual renewal.
How can I find out, quickly and without side-effects, if a named certificate managed by Certbot is due for renewal without triggering the renewal itself?
When I issue the renew command, the actual renewal is instantly triggered.
When I use the renew command with the --dry-run flag, the renewal is not triggered, but my authentication plugin is triggered whether the certificate is due or not because it is simulating the authentication. As I use DNS for authentication, actual updates are issued through dynamic DNS and apart of once again tempering with a live system when there might be no administrator on call, this also takes quite a long time on each check because of the slow update propagation speed that is expected of DNS.
As another option I could imagine using the renew command with the -a and the --dry-run flag to select some kind of no-op authentication plugin that doesn't mess with DNS and doesn't take multiple minutes before I get an answer. Sadly Certbot comes with a no-op installer plugin but not with a no-op authentication plugin. Developing such a no-op authentication plugin seems not to be trivial because the interface for authentication plugins seems to require actual Challenge and ChallengeResponse objects to be returned by the plugin of which I currently have insufficient knowledge.
Are there other ways I missed that could solve my problem? Or is there maybe a no-op authentication plugin available somewhere?
certbot will renew a certificate if autorenew is enabled in configuration and the cert is revoked, or a certain number of days from expiring. Default 30 days.
Any other certificate monitoring script can also parse revoked and notAfter.
Your attempt at getting certbot to not do its thing seems like a lot of work for little benefit. How else are you going to know if plugins work before doing it for real, if they are never executed?
Consider building your confidence in automation in steps.
Throughout, you will have the previous certificates saved locally by certbot. Plus the serial numbers saved to public certificate transparency logs.
An advantage to Let's Encrypt is a CA already trusted by many TLS clients. During renew, the subject and the root do not change, only the keys. Making renew a routine operation easy to automate. Unless you do something exotic you have not described, like key pinning, but that is uncommon.