Skip to content

Instantly share code, notes, and snippets.

@hivelogic2018

hivelogic2018/gist:7a58d485fcd0785245c5499c6ddd2bbc

Created August 4, 2025 03:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hivelogic2018/7a58d485fcd0785245c5499c6ddd2bbc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hivelogic2018/7a58d485fcd0785245c5499c6ddd2bbc to your computer and use it in GitHub Desktop.
Download ZIP
certbot auto-renewal & --dry-run
Raw
gistfile1.md

Q: Set up auto-renewal (/etc/cron.d) ? what does --dry-run mean ? sudo certbot renew --dry-run

You've asked about setting up auto-renewal for Certbot and what the --dry-run flag does.

Auto-renewal with cron

Certbot's official packages from repositories like EPEL on CentOS/RHEL or the official PPA on Ubuntu/Debian typically handle auto-renewal for you automatically. When you install Certbot, it usually creates a cron job or a systemd timer that runs twice a day to check for certificates that need renewal.

You can verify this by checking for the presence of a file in /etc/cron.d/certbot or /etc/cron.daily/certbot. This file contains the command that Certbot will use to check for and renew certificates.

If you were to set this up manually, you would create a file in /etc/cron.d/certbot with the following content:

0 */12 * * * root certbot renew --quiet

This cron job runs the certbot renew command every 12 hours.

  • The 0 */12 * * * part is the schedule. It means "at minute 0, every 12 hours, every day of the month, every month, every day of the week."
  • The root part specifies the user to run the command as.
  • The certbot renew --quiet part is the command itself. The --quiet flag suppresses output unless there is an error, which is useful for cron jobs.

The --dry-run flag

The command sudo certbot renew --dry-run is a powerful tool for testing your renewal process without actually renewing your certificates.

  • It simulates the entire renewal process, including running all the hooks you might have configured (like pre-hook and post-hook).
  • It connects to the Let's Encrypt staging environment, not the production one. This is crucial because the production environment has rate limits. Using --dry-run allows you to test as many times as you need without hitting those limits.
  • It does not modify any of your existing certificates or server configuration. Your live certificates remain untouched.

You would use --dry-run to:

  • Verify that your renewal process works correctly after making changes to your server.
  • Test new hooks you've added to the renewal process.
  • Ensure that the certificate issuance and validation process is working correctly without issuing a new certificate.

In short, --dry-run is a safe way to test that your auto-renewal setup is working as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment