Finding out if a certificate is due for renewal without triggering the actual renewal with Certbot

Solution 1:

certbot will renew a certificate if autorenew is enabled in configuration and the cert is revoked, or a certain number of days from expiring. Default 30 days.

Any other certificate monitoring script can also parse revoked and notAfter.

Your attempt at getting certbot to not do its thing seems like a lot of work for little benefit. How else are you going to know if plugins work before doing it for real, if they are never executed?

Consider building your confidence in automation in steps.

• Script a method to reload services on cert renewal. Could use a graceful reload of a web server in a certbot hook. Could drain load balanced connections off of hosts and restart them.
• Run certbot interactively on a test domain. Use the same plugins and hooks as you would for real, but on a different zone entirely.
• Run certbot interactively on a production domain when ops are normally awake. Reserve time on the calendar to fix issues.
• Run certbot automatically in cron. Consider scheduling for during the day, when ops and their coworkers are awake.

Throughout, you will have the previous certificates saved locally by certbot. Plus the serial numbers saved to public certificate transparency logs.

An advantage to Let's Encrypt is a CA already trusted by many TLS clients. During renew, the subject and the root do not change, only the keys. Making renew a routine operation easy to automate. Unless you do something exotic you have not described, like key pinning, but that is uncommon.