Force Renewal of certificates


#1

Launching the certify.exe via CLI, there seems to be no parameters to “force” renewal.
When invoking a “certify.exe renew” it recognizes that there is one certificate slated for “auto renewal” but it does not auto renew it since the “existing certificate still ok”.

Questions.

  1. For testing purposes, I tried auto-renewing my cert every day. Does not work. When will certify auto renew the cert? Is it within a month of expiring or it follows the renewal days variable?
  2. Can we force autorenewal of a cert, even if the aplication deems a cert still valid?

Great product. Thanks for the help in advance.


#2

I think I answered the first part of the question myself. Looking at the code… It seems that if I set autorenewal to 1 day. The code will check that the current cert is older than one day.

Snippet of code:

public static bool IsRenewalRequired(ManagedCertificate s, int renewalIntervalDays, bool checkFailureStatus = false)
{
var timeSinceLastRenewal = (s.DateRenewed ?? DateTime.Now.AddDays(-30)) - DateTime.Now;

        var isRenewalRequired = Math.Abs(timeSinceLastRenewal.TotalDays) > renewalIntervalDays;

My last cert created was 1/2/2019 @ 3:21PM. So I am assuming I have to wait until 1/3/2019 @ 3:22PM for it to trigger that it needs to renew with the autorenewal set to 1 day. (I think the operator should be >= to renewal days, but I could be wrong.)

Someone correct me if I am wrong in my assumptions.

Still would love to see a force parameter to be passed to this function to allow forcing of renewals.


#3

Feedback. @ 3:22PM I was able to autorenew with my “Auto Rewnewal Days” was set to 1.


#4

Hi, yes this is the current behaviour and as you say reducing the auto renewal interval is great for testing. You can just hit ‘Request Certificate’ again if you want to see if renewal is going to work after some settings changes etc. The difference between Auto Renewal and Request Certificate is just that auto renewal will check the date lats renewed falls within the date window before attempting anything (for all managed certs).

Regarding forcing auto renew, is this just to see if renew works or is there another use case? Most people just use the auto renewal that’s built in without using the CLI at all.


#5

Thanks for the clarification on the auto-renewal and request certificate.

The use case for having a force flag would be helpful for scripting. Ideally run “certify.exe renew force” on the first of the month and will force renewal of all the certs regardless of “autorenew” flag. I do understand that having the autorenew set to one day and running script once a month will work. But there is an added time of developing and testing the script. Without force flag, will actually need to wait 24hrs to see if scripted/scheduled methodology works. On the linux side of things with certbot, you can force a renewal of a cert up to 3 times on the live systems I believe.

Thank you for clarifying the timings and how things work.