Enhancement: provide a way to force an immediate certificate renewal attempt for some or all desired certificates

[siebenmann]

I work in a university and we have a multi-week winter break where no one is around at work. Just in case, we'd like to have certificate renewals not need to happen during this break time. If one would normally be scheduled to happen then due to the normal renewal timing, we'd like to be able to force it to happen before we go on break.

(There are other potential points where we might want the systems to be as static as possible, such as the rush at the end of graduate student application submissions, where any problems such as the web server not coming up again after an automated restart would have a high impact.)

This is related to #221 but not quite the same thing, although we could do this with control over the renewal margin. In our case we don't want a permanently different renewal margin; we're fine with any defaults that give us a couple of weeks to fix any failure-to-renew issues. We just want to avoid renewals at what we consider 'bad' times.

[markengelhardt]

I would like this as well for testing.

[klausenbusk]

According to #137 (comment) this is already possible.

$ acmetool status
[...]
Target(domain.tld;https://acme-v01.api.letsencrypt.org/directory;0)
  best: Certificate(<a long string>)
[...]
$ acmetool revoke < long string>

[siebenmann]

The problem with revoking a certificate as a way to provoke renewal is that you've just revoked your live certificate. If there is a problem with renewal, you now have no valid certificate, which is obviously a bad state of affairs. When the entire purpose of early renewal is to preemptively avoid problems, my view is that starting out with a revocation is extremely counterproductive (and certainly it's something we would never use in my original situation).

[russau]

This has worked well for me. Note: Playing around with this I hit the rate limit of 5 per week. https://letsencrypt.org/docs/rate-limits/

[rossy]

If anyone needs to know how to do this before 2020-03-04 20:00 UTC, I got acmetool to issue a new certificate without revoking the old certificate by deleting /var/lib/acme/certs/<cert ID> and running acmetool reconcile

[dsadinoff]

According to #137 (comment) this is already possible.

$ acmetool status
[...]
Target(domain.tld;https://acme-v01.api.letsencrypt.org/directory;0)
  best: Certificate(<a long string>)
[...]
$ acmetool revoke < long string>

This did not work for me.

[Amunak]

@dsadinoff revoking isn't a proper solution, even if it did work (for me it didn't either).

You want to do what rossy suggested above: delete (or move somewhere) the directories with the active certificates and then reconcile will generate new ones.

[dsadinoff]

You want to do what rossy suggested above: delete (or move somewhere) the directories with the active certificates and then reconcile will generate new ones.

Right, that works, many thanks.

[asalmela]

Looks like doing touch /var/lib/acme/live/www.example.com/revoked will also generate new certs on next reconcile.

[cyqsimon]

@asalmela Thanks for the solution. I believe this is the best approach for now because it doesn't delete the old certificate unless a new one is obtained successfully (I think).

[SpComb]

There's a margin field in the desired target satisfy schema that per the documentation should seemingly allow you to request an earlier renewal:

margin: Optional positive integer. If set, expresses the number of days before expiry at which a certificate should be replaced. The default value is implementation-dependent.

But unfortunately the implementation only seems to honor the configured renewal margin if it's shorter than the built-in validityPeriod / 3 renewal span, i.e. 30 days for Let's Encrypt issued certs. Setting the target satisfy margin to anything higher than 30 days seemingly has no effect, and the certificate is still considered as needsRenewing=false 😞