If I run certbot renew --dry-run and make no further changes to my Nginx configuration, am I guaranteed that certbot renew will succeed 90 days later? In other words, can the result be a false positive?
If so, should I rather run certbot renew --force-renewal for a thorough test?
Surely you can use a --force-renewal if it satisfies you. But you can not run it everyday. The --dry-run option is for that very reason of testing there.
See here: https://certbot.eff.org/docs/using.html#certbot-command-line-options:
--dry-run Perform a test run of the client, obtaining test
(invalid) certificates but not saving them to disk.
This can currently only be used with the 'certonly'
and 'renew' subcommands. Note: Although --dry-run
tries to avoid making any persistent changes on a
system, it is not completely side-effect free: if used
with webserver authenticator plugins like apache and
nginx, it makes and then reverts temporary config
changes in order to obtain test certificates, and
reloads webservers to deploy and then roll back those
changes. It also calls --pre-hook and --post-hook
commands if they are defined because they may be
necessary to accurately simulate renewal. --deploy-
hook commands are not called. (default: False)
This option is to test your configuration and to make sure everything is configured correctly but it has some side-effects.
For the renewal, you can safely use the renew option regularly via cron:
renew:
The 'renew' subcommand will attempt to renew all certificates (or more
precisely, certificate lineages) you have previously obtained if they are
close to expiry, and print a summary of the results. By default, 'renew'
will reuse the options used to create obtain or most recently successfully
renew each certificate lineage. You can try it with `--dry-run` first. For
more fine-grained control, you can renew individual lineages with the
`certonly` subcommand. Hooks are available to run commands before and
after renewal; see https://certbot.eff.org/docs/using.html#renewal for
more information on these.
This will run the renewal process regularly but will only renew certificates when it is necessary or about to expire.
The --force-renewal is not the right option to update certificate automatically rather meant for manual update:
If you are manually renewing all of your certificates, the --force-renewal flag may be helpful; it causes the expiration time of the certificate(s) to be ignored when considering renewal, and attempts to renew each and every installed certificate regardless of its age. (This form is not appropriate to run daily because each certificate will be renewed every day, which will quickly run into the certificate authority rate limit.)
As for the guarantee, it's a free and open source software and nobody is going to gurantee you anything I suppose. So use it at your own risk.
