Force Renewal of certificates

Launching the certify.exe via CLI, there seems to be no parameters to “force” renewal.
When invoking a “certify.exe renew” it recognizes that there is one certificate slated for “auto renewal” but it does not auto renew it since the “existing certificate still ok”.

Questions.

  1. For testing purposes, I tried auto-renewing my cert every day. Does not work. When will certify auto renew the cert? Is it within a month of expiring or it follows the renewal days variable?
  2. Can we force autorenewal of a cert, even if the aplication deems a cert still valid?

Great product. Thanks for the help in advance.

I think I answered the first part of the question myself. Looking at the code… It seems that if I set autorenewal to 1 day. The code will check that the current cert is older than one day.

Snippet of code:

public static bool IsRenewalRequired(ManagedCertificate s, int renewalIntervalDays, bool checkFailureStatus = false)
{
var timeSinceLastRenewal = (s.DateRenewed ?? DateTime.Now.AddDays(-30)) - DateTime.Now;

        var isRenewalRequired = Math.Abs(timeSinceLastRenewal.TotalDays) > renewalIntervalDays;

My last cert created was 1/2/2019 @ 3:21PM. So I am assuming I have to wait until 1/3/2019 @ 3:22PM for it to trigger that it needs to renew with the autorenewal set to 1 day. (I think the operator should be >= to renewal days, but I could be wrong.)

Someone correct me if I am wrong in my assumptions.

Still would love to see a force parameter to be passed to this function to allow forcing of renewals.

Feedback. @ 3:22PM I was able to autorenew with my “Auto Rewnewal Days” was set to 1.

Hi, yes this is the current behaviour and as you say reducing the auto renewal interval is great for testing. You can just hit ‘Request Certificate’ again if you want to see if renewal is going to work after some settings changes etc. The difference between Auto Renewal and Request Certificate is just that auto renewal will check the date lats renewed falls within the date window before attempting anything (for all managed certs).

Regarding forcing auto renew, is this just to see if renew works or is there another use case? Most people just use the auto renewal that’s built in without using the CLI at all.

Thanks for the clarification on the auto-renewal and request certificate.

The use case for having a force flag would be helpful for scripting. Ideally run “certify.exe renew force” on the first of the month and will force renewal of all the certs regardless of “autorenew” flag. I do understand that having the autorenew set to one day and running script once a month will work. But there is an added time of developing and testing the script. Without force flag, will actually need to wait 24hrs to see if scripted/scheduled methodology works. On the linux side of things with certbot, you can force a renewal of a cert up to 3 times on the live systems I believe.

Thank you for clarifying the timings and how things work.

1 Like

Here’s a good reason received from Let’s Encrypt today.

We recently discovered a bug in the Let’s Encrypt certificate authority code,
described here:

2020.02.29 CAA Rechecking Bug - Incidents - Let's Encrypt Community Support

Unfortunately, this means we need to revoke the certificates that were affected
by this bug, which includes one or more of your certificates. To avoid
disruption, you’ll need to renew and replace your affected certificate(s) by
Wednesday, March 4, 2020. We sincerely apologize for the issue.

If you’re not able to renew your certificate by March 4, the date we are
required to revoke these certificates, visitors to your site will see security
warnings until you do renew the certificate. Your ACME client documentation
should explain how to renew.

If you are using Certbot, the command to renew is:

certbot renew --force-renewal

If you need help, please visit our community support forum:
Revoking certain certificates on March 4 - Help - Let's Encrypt Community Support

Please search thoroughly for a solution before you post a new question. Let’s
Encrypt staff will help our community try to answer unresolved questions as
quickly as possible.

1 Like

Thanks, yes indeed. The next version will definitely have an option to force auto renewal. Will investigate also the ability to check revocation status and dynamically renew.