Introduction to problem

This post is applicable for those who has already an SSL certificate from Lets Encrypt. And, wants to renew them.

Some Old Reference to Lets Encrypt commands

For previous posts about Lets Encrypt. See:

To know Certificate Expiry date

There may be a chance that you are running multiple websites from a server. You must be having an utility installed called: certbot. To get expiry date of each websites on your server, run:

sudo certbot certificates

It will list down all the certificates list and their expiry date. Sample output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: abcdef.com
    Domains: abcdef.com www.abcdef.com
    Expiry Date: 2018-07-22 01:30:26+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/abcdef.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/abcdef.com/privkey.pem
  Certificate Name: abcdefgh.com
    Domains: abcdefgh.com www.abcdefgh.com
    Expiry Date: 2019-03-07 08:02:01+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/abcdefgh.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/abcdefgh.com/privkey.pem
  Certificate Name: abcdefghij.com
    Domains: abcdefghij.com www.abcdefghij.com
    Expiry Date: 2019-03-07 08:03:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/abcdefghij.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/abcdefghij.com/privkey.pem
  Certificate Name: abcdefghijkl.com
    Domains: abcdefghijkl.com www.abcdefghijkl.com
    Expiry Date: 2019-01-06 01:30:19+00:00 (VALID: 29 days)
    Certificate Path: /etc/letsencrypt/live/abcdefghijkl.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/abcdefghijkl.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Renew a Certificate

Run command:

sudo certbot certonly -d <your-website>.com -d www.<your-website>.com

Note: I’m asking for both www and non-www version of certificate.

it will then ask for ways to authenticate:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Simply type 2 and press Enter. It will then ask for webroot, where your index.html or index.php resides. After typing, it will confirm, and start processing your request.

If everything goes fine, following is the output:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xyz.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xyz.com/privkey.pem
   Your cert will expire on 2019-03-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

And, now if you run:

sudo certbot certificates

You can see the updated expiry date.

Caution while renew SSL certificate

If by any chance, your request failed. You should change your command to:

sudo certbot certonly -d <your-website>.com -d www.<your-website>.com --dry-run

In case, you keeps on retrying. Lets encrypt has a quota of requests that it takes from a client. It will block you for the day or more. And, you will only request after that time limit. What this option does is it will test your configuration, and if everything goes fine, it will just display message: Success. It will not replace your new certificates.

But, this surely helps identifying errors. You should also look at the log file it generates. In the output message on console, it display the logfile path.

Hope you find this post useful.