Let's Encrypt Certificate Renewal Error — Certbot and SSL Auto-Renewal Failures
About Let's Encrypt Certificate Renewal Error
Fix Let's Encrypt certificate renewal failures in Certbot caused by DNS validation errors, web server conflicts, and automatic renewal cron job issues. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Let's Encrypt certificates expire every 90 days and must be renewed regularly. Certbot handles automatic renewal via a systemd timer or cron job. Renewal can fail if the domain validation method (HTTP-01 or DNS-01) is not working. HTTP-01 validation requires port 80 to be accessible from the internet. Wildcard certificates require DNS-01 validation which needs DNS API access. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Port 80 blocked by firewall — HTTP-01 validation cannot reach the server. Web server configuration changed since initial certificate issuance. DNS API credentials expired for DNS-01 (wildcard) validation. Certbot renewal hook failing to restart the web server after renewal. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Test renewal: 'sudo certbot renew --dry-run' to check if renewal would succeed. Check Certbot logs: 'cat /var/log/letsencrypt/letsencrypt.log' for detailed error messages. Ensure port 80 is open: 'sudo ufw allow 80/tcp' or check cloud firewall rules. Verify the renewal timer: 'systemctl status certbot.timer' or check crontab for certbot renew entry. For DNS-01: update DNS API credentials in /etc/letsencrypt/renewal/[domain].conf. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
How often should I renew Let's Encrypt certificates?
Certbot's auto-renewal runs twice daily and renews certificates when they have less than 30 days until expiry. With 90-day certificates, renewal happens roughly every 60 days.
Overview
Fix Let's Encrypt certificate renewal failures in Certbot caused by DNS validation errors, web server conflicts, and automatic renewal cron job issues.
Key Details
- Let's Encrypt certificates expire every 90 days and must be renewed regularly
- Certbot handles automatic renewal via a systemd timer or cron job
- Renewal can fail if the domain validation method (HTTP-01 or DNS-01) is not working
- HTTP-01 validation requires port 80 to be accessible from the internet
- Wildcard certificates require DNS-01 validation which needs DNS API access
Common Causes
- Port 80 blocked by firewall — HTTP-01 validation cannot reach the server
- Web server configuration changed since initial certificate issuance
- DNS API credentials expired for DNS-01 (wildcard) validation
- Certbot renewal hook failing to restart the web server after renewal
Steps
- 1Test renewal: 'sudo certbot renew --dry-run' to check if renewal would succeed
- 2Check Certbot logs: 'cat /var/log/letsencrypt/letsencrypt.log' for detailed error messages
- 3Ensure port 80 is open: 'sudo ufw allow 80/tcp' or check cloud firewall rules
- 4Verify the renewal timer: 'systemctl status certbot.timer' or check crontab for certbot renew entry
- 5For DNS-01: update DNS API credentials in /etc/letsencrypt/renewal/[domain].conf