When using Let’s Encrypt certificates, which are provided via the ACME protocol by the ACME client software, known as Certbot for Linux operating systems, it is intended that the certificates must be renewed every 90 days before they expire.
Many of us are familiar with the e-mail: Let’s Encrypt certificate expiration notice for domain.
Your certificate (or certificates) for the names listed below will expire in 20 days (on 31 Mar 23 08:33 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
myhost.domain.org
So let’s see the options, using commands in examples, to get the expiry date of Let’s Encrypt certificates to renew them in time for our myhost server before they expire and become invalid.
Check Certificates Expiry Date
To view a list of the certificates Certbot knows about, run the certificates subcommand in the terminal shell:
$ sudo certbot certificates
This returns details similar as follows, along with the Expiry Date:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: myhost.domain.org
Domains: myhost.domain.org
Expiry Date: 2023-03-26 08:39:39+00:00 (VALID: 14 days)
Certificate Path: /etc/letsencrypt/live/myhost.domain.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/myhost.domain.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Let’s see how the expiry date of any certificate can be queried, so not just only Let’s Encrypt certificates.
$ sudo openssl x509 -dates -noout < /etc/letsencrypt/live/myhost.domain.org/cert.pem
This command, running in a Linux terminal, displays the expiration date of each certificate, according to the ITU-T standard specifications for X.509 digital certificates.
Renew your Let’s Encrypt Certificates
The Let’s Encrypt certificates can be renewed before they expire using this command.
$ sudo certbot renew
Here the Let’s Encrypt certificate is only renewed for the domain domain.org and it’s hostname myhost.domain.org, using the apache2 webserver.
$ sudo certbot --apache -d domain.org -d myhost.domain.org
The Let’s Encrypt certificate should only be renewed for the hostname myhost.domain.org, e.g. using various services such as an SMTP mail transport agent that uses starttls.
$ sudo certbot --standalone certonly -d myhost.domain.org