Certbot: renewing all Let's Encrypt certificates
Reading time: 2 minutes
Certificates today are like DNS - they must work, because most of the systems expect them to be there and they must be valid. Especially Google changed for many services to contact with SSL/TLS enabled by default.
Renewing outdated certificates
Sometimes problems arise and you need to check whether certbot (of Let’s Encrypt) or cron is still working. Maybe you simply want to check, whether your certificates are all renewed, you can simply run:
sudo certbot renew
If all your certificate are up to date or not old enough to be renewed, you will get this simple message Cert not yet due for renewal.
Force to renew all certificates
But at some point you need to be sure, that all your certificates are validated and the validation of all certificates is really working like expected. Then you need to renew all your certificates. This can be done through this command:
sudo certbot renew --force-renewal
This is not a problem for certificates issued by Let’s Encrypt, as you can renew the certificate any time. On every forced or needed renewal certbot will prepare a new validation and your certificated will be signed and this way the expiration date extended.
Good idea to renew all your certificates
Sometimes it is a good idea to simply renew all your certificates to be sure that they are working or you just need them to be renewed to be valid for maximum time.
Sometimes the Certificate Authority (CA) forces you to revalidate your certificates like it happened few days ago. 3 Million certificates must be revalidated by Let’s Encrypt. This is quite simple with Let’s Encrypt as you can simple run a force renewal and you are done. By renewing your certificates you help the CA to revoke the outdated certificates as soon as possible. This way Let’s Encrypt could revoke 1.7 Million certificates certificates, because they were already renewed after the date problem was solved.
Summary
If you renew all your certificates at once, you can be sure that all certificates are valid. If a renew fails, you can look at it and fix it before you get warnings from Let’s Encrypt. Also, you will have enough time to figure out what is wrong.
Stay secure and use encryption for all your connections - your MailMum Team.