Let's Encrypt: How to manually test the certbot renewal process?

Question

I have a working setup where Let's Encrypt certificates are generated with certbot. I wonder how you effectively test whether the renewal will work in production.

The certificates last for 90 days. Is there a way to reduce the lifespan to, for instance, 10 minutes, to see if the renewal works? (Using the staging system for that is fine.)

If you have an alternative approach how to make sure that your renewal code works (without having to wait for 90 days), it would also be appreciated.

Answer 1

You use the --dry-run option. E.g.:

$ sudo certbot renew --dry-run

From certbot -h:

certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

...

--dry-run Test "renew" or "certonly" without saving any certificates to disk

This ensures that the certbot can validate your domain with your current configuration.

If you really want to save the certificates to disk and see if your system is using the new cert, then you can also use the --force-renewal option. In that case, you should visit your website and check that the active certificate is the new one. If it isn't, you likely need to adjust your cronjob to restart your web server. E.g.:

certbot renew && service apache24 restart

Answer 2

You can use "certbot renew --force-renewal"

https://certbot.eff.org/docs/using.html#configuration-file

--force-renewal, --renew-by-default

If a certificate already exists for the requested domains, renew it now, regardless of whether it is near expiry. (Often --keep-until-expiring is more appropriate). Also implies --expand. (default: False)