Home / server / Questions / 908952
Accepted
lofidevops
Asked: 2018-04-23 22:50:12 +0800 CST

Can certbot renew --dry-run result in a false positive?

  • 772

If I run certbot renew --dry-run and make no further changes to my Nginx configuration, am I guaranteed that certbot renew will succeed 90 days later? In other words, can the result be a false positive?

If so, should I rather run certbot renew --force-renewal for a thorough test?

nginx

1 Answers

  1. Best Answer

    Surely you can use a --force-renewal if it satisfies you. But you can not run it everyday. The --dry-run option is for that very reason of testing there.

    See here: https://certbot.eff.org/docs/using.html#certbot-command-line-options:

    --dry-run             Perform a test run of the client, obtaining test
                   (invalid) certificates but not saving them to disk.
                    This can currently only be used with the 'certonly'
                    and 'renew' subcommands. Note: Although --dry-run
                    tries to avoid making any persistent changes on a
                    system, it is not completely side-effect free: if used
                    with webserver authenticator plugins like apache and
                    nginx, it makes and then reverts temporary config
                    changes in order to obtain test certificates, and
                    reloads webservers to deploy and then roll back those
                    changes. It also calls --pre-hook and --post-hook
                    commands if they are defined because they may be
                    necessary to accurately simulate renewal. --deploy-
                    hook commands are not called. (default: False)

    This option is to test your configuration and to make sure everything is configured correctly but it has some side-effects.

    For the renewal, you can safely use the renew option regularly via cron: 

    renew:
                The 'renew' subcommand will attempt to renew all certificates (or more
                precisely, certificate lineages) you have previously obtained if they are
                close to expiry, and print a summary of the results. By default, 'renew'
                will reuse the options used to create obtain or most recently successfully
                renew each certificate lineage. You can try it with `--dry-run` first. For
                more fine-grained control, you can renew individual lineages with the
               `certonly` subcommand. Hooks are available to run commands before and
                after renewal; see https://certbot.eff.org/docs/using.html#renewal for
                more information on these.

    This will run the renewal process regularly but will only renew certificates when it is necessary or about to expire.

    The --force-renewal is not the right option to update certificate automatically rather meant for manual update:

    If you are manually renewing all of your certificates, the --force-renewal flag may be helpful; it causes the expiration time of the certificate(s) to be ignored when considering renewal, and attempts to renew each and every installed certificate regardless of its age. (This form is not appropriate to run daily because each certificate will be renewed every day, which will quickly run into the certificate authority rate limit.)

    As for the guarantee, it's a free and open source software and nobody is going to gurantee you anything I suppose. So use it at your own risk.

    • 1