How to Force Renew a Let's Encrypt SSL Certificate in an LNMP Environment

Forcing a Let's Encrypt SSL Certificate Renewal in an LNMP Environment

In LNMP (Linux, Nginx, MySQL, PHP) environments, Let's Encrypt certificates are typically managed by the acme.sh script. While automatic renewal is configured by default, you may need to force an immediate renewal before the scheduled date. This guide provides the commands and steps to do so.

Command to Force Renewal

Connect to your server via SSH and run the following command to force a renewal of all certificates managed by acme.sh:

/usr/local/acme.sh/acme.sh --cron --force --home /usr/local/acme.sh

Command Parameter Breakdown

• --cron: Runs the script in cron mode, checking and renewing all configured certificates.
• --force: Forces an immediate renewal attempt, even if the certificate is not yet near expiry. Useful for troubleshooting or immediate updates.
• --home /usr/local/acme.sh: Specifies the acme.sh installation directory. This is the default path for the LNMP one-click installation package. Adjust if your path differs.

Steps and Important Notes

1. Permissions: You usually need to run this command as the root user or with sudo.
2. Process Verification: After execution, acme.sh will communicate with Let's Encrypt servers to validate domain ownership and issue a new certificate. A successful renewal will output a message like "Cert success."
3. Restart Nginx: Once the certificate files are updated (typically in /usr/local/nginx/conf/ssl/), you must restart the Nginx service for the new certificate to take effect. Use service nginx restart or systemctl restart nginx.
4. Automatic Renewal: Under normal conditions, acme.sh is configured with a cron job to handle renewals automatically. The force command is only for special cases.
5. Path Confirmation: If you get a "command not found" error, verify the acme.sh installation path. You can search for it using: find / -name acme.sh 2>/dev/null.

Alternative Simplified Command

If acme.sh is in your system's PATH, you can use this simpler command:

acme.sh --cron --force

This uses the default configuration directory (usually ~/.acme.sh/). For LNMP one-click installs, using the full path as shown earlier is recommended for reliability.

Note: Let's Encrypt certificates are valid for 90 days. Ensure automatic renewal is set up and periodically check logs (e.g., /usr/local/acme.sh/acme.sh.log) to confirm the process is working.