A curated list of useful certbot commands

Certbot is a lifesaver when the user interface you use to renew certificates does not deliver anymore. Some servers of course come without any kind of control panel like cPanel of Virtualmin. In those cases, understanding the basic syntax of Certbot is a must. This guide gives some pointers but be warned even to the seasoned network administrator automated certificate renewals on a “non standard” server can be a complete nightmare.

For now, here are our list of favourites certbot commands:

List all Certificates Certbot Knows About

certbot certificates

Try to renew all Certificates Certbot Knows About

certbot renew

The CRON required to renew all certificates every two months

If all is well with your Certbox installation, you should automatically have the following CRON:

[email protected]:/etc/cron.d# cat certbot 
# /etc/cron.d/certbot: crontab entries for the certbot package
# Upstream recommends attempting renewal twice a day
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Force Renewal

Example command:

certbot renew --force-renewal --cert-name mail.example.com

To Delete A Certbot Certificates

certbot delete --cert-name domain.com

Older CRON Information

Although certificates should be renewed around every two months, it’s better to check much more often, e.g. daily, to see if they can be renewed. Unfortunately the guidance provided by the official manual doesn’t seem to address the frequency so you’ll find 100s of different answers all over the internet.

This article was updated 13 April 2021 to include an improved CRON job schedule.

First find out which certbot binary you use by doing this:

# which certbot

The reason is CRON works better when the full path is prepended to the binary.

Now do this:

crontab -e

Add this:

0 */12 * * * /usr/bin/certbot renew



Share this article

Leave a Reply

Your email address will not be published.

Scroll to Top