Let’s Encrypt Authority issues free SSL certificates. Hence, we call them Let’s Encrypt SSL certificates. A website uses an SSL certificate to make the site more secure. In other words, it converts an HTTP website into an HTTPS website. A Let’s Encrypt certificate is free, however, it is valid only for three (3) months. Therefore, we must renew a Let’s Encrypt SSL certificate every three (3) months.
This tutorial on how to renew a Let’s Encrypt SSL certificate assumes that you already have a valid Let’s Encrypt SSL certificate. Furthermore, you used Certbot on a Linux machine to get your Let’s Encrypt certificate as outline in How to Get a Free SSL Certificate for GoDaddy.
Here is the step by step guide on how to renew a Let’s Encrypt SSL certificate.
Step 1 – Run Certbot
First, open a Linux terminal window. Then, type the command sudo certbot certonly –manual. Finally, press the ENTER key.
Take note that the command, sudo certbot certonly –manual, is exactly the same command used for retrieving a new Let’s Encrypt SSL certificate. However, instead of first asking for an email address, as it did on its first run, it goes directly to the step of asking for the domain name or names.
Step 2 – Provide the domain name of the SSL certificate for renewal
Provide the domain name. Or, in the case of multiple domains, separate the names with commas or spaces.
Let’s Encrypt recommends renewing your SSL certificate thirty (30) days before its expiration date. As a result, Certbot first checks the provided domain name’s SSL certificate. If the certificate is not expiring in thirty (30) days, you will get the message:
Cert not yet due for renewal
Certbot then, gives you two options. The first one is to keep the existing certificate for now. If you select this option, Certbot displays a message saying Certificate not yet due for renewal; no action taken. After that, Certbot gracefully exits. Examine the screenshot below.
The second option that Certbot provides is to renew and replace the SSL certificate. This option renews and replaces the Let’s Encrypt SSL certificate regardless of its expiration date. Selecting this second option will bring you to the next step, which is the acme challenge.
NOTE:Certbot has an option to force the renewal of a Let’s Encrypt SSL certificate without regard on its expiration date. The command for Certbot is: sudo certbot certonly –manual –force-renewal
Step 3 – Do the ACME file challenge
The acme file challenge is a test to prove your ownership of the domain or domains you provided to Certbot. Therefore, you are required to create a file on the web server of the said domain(s). The instructions about the challenge file is shown in the screenshot above.
From this point, you need to leave Certbot and create the challenge file. However, you must keep Certbot running. That is, do not close the Linux terminal window with the running Certbot.
For a complete guide on how to do this file challenge, see How to create the acme challenge file.
Step 4 – Let Certbot check the file challenge and renew the Let’s Encrypt SSL certificate
Go back to the Linux terminal window running the Certbot program. Press the ENTER key to let Certbot verify the challenge file that you created on the web server.
Finally, if Certbot finds the challenge file in order, it will retrieve a new Let’s Encrypt SSL certificate. This new certificate will be valid for next three (3) months.