A curated list of useful certbot commands

About Certbot

Certbot is a lifesaver when the user interface you use to renew certificates does not deliver anymore. Some servers of course come without any kind of control panel like cPanel of Virtualmin. In those cases, understanding the basic syntax of Certbot is a must. This guide gives some pointers but be warned even to the seasoned network administrator automated certificate renewals on a “non standard” server can be a complete nightmare.

Deployment Hooks

When renewing certificates one often has to do something else. One example is restart Unix services. For example, you might have a Kopano server and the Kopano server service might be “holding” the SSL in memory. The solution is to restart the Kopano services. However, how will you know Let’s Encrypt has renewed the certificate?

That’s where deployment hooks come in.

There are three types of hooks and they can be invoked using the command line or by putting them in a directory. The three hooks are:

  • pre-hook
  • deploy-hook
  • post-hook

Directories:

  • /etc/letsencrypt/renewal-hooks/pre
  • /etc/letsencrypt/renewal-hooks/deploy
  • /etc/letsencrypt/renewal-hooks/post

Add a script to the deploy directory to have it execute after successful renewal.

Reference: https://community.letsencrypt.org/t/run-script-after-each-automatic-renewal/118054/2

List all Certificates Certbot Knows About

This incredibly useful command will show you all the certificates on your system. What’s a bonus is if you need to delete certificates, then you use this command to list them first, and then the next command to delete them.

certbot certificates

Delete certificates

certbot delete --cert-name name.example.com-002

The problem after deleting certificates is that the directory will be incorrectly named. E.g. you’ll have /etc/letsencrypt/live/mail.example.com-001

You can manually go into that directory and archive and rename stuff, but be sure to also rename the configuration file.

Try to renew all Certificates Certbot Knows About

certbot renew

The CRON required to renew all certificates every two months

If all is well with your Certbox installation, you should automatically have the following CRON:

root@nms:/etc/cron.d# cat certbot 
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Use OpenSSL to test a certificate on mail ports

These examples are for port 993 IMAPS and port 465 SMTPS

Test IMAPS port 993:

openssl s_client -CApath /etc/ssl/certs/ -connect mail.example.com:993 -brief

Test SMTPS port 465:

openssl s_client -connect mail.example.co.za:465 -servername mail.example.co.za -showcerts | openssl x509 -noout -text

See also: https://www.liquidweb.com/kb/how-to-test-ssl-connection-using-openssl/

Force Renewal

Example command:

certbot renew --force-renewal --cert-name mail.example.com

To Delete A Certbot Certificates

certbot delete --cert-name domain.com

Older CRON Information

Although certificates should be renewed around every two months, it’s better to check much more often, e.g. daily, to see if they can be renewed. Unfortunately the guidance provided by the official manual doesn’t seem to address the frequency so you’ll find 100s of different answers all over the internet.

This article was updated 13 April 2021 to include an improved CRON job schedule.

First find out which certbot binary you use by doing this:

# which certbot
/usr/bin/certbot

The reason is CRON works better when the full path is prepended to the binary.

Now do this:

crontab -e

Add this:

0 */12 * * * /usr/bin/certbot renew

Reference

 

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top