What is a certificate chain and why does it matter?

The chain links your server's certificate to a trusted root CA via intermediate certificates. Without intermediates, some clients (especially mobile) will not trust your certificate even if it is valid.

Can I use Let's Encrypt for internal servers?

Only if the server has a public domain name. Let's Encrypt validates domain ownership via HTTP or DNS challenges requiring public accessibility. For internal-only servers, use a private CA or self-signed certs.

Linux SSL/TLS Certificate Errors — Let's Encrypt, Chain, and Renewal Troubleshooting

Errorsecurity

About Linux SSL/TLS Certificate Errors

Fix Linux SSL certificate errors including Let's Encrypt renewal failures, certificate chain issues, expired certificates, and certbot troubleshooting. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: Let's Encrypt provides free SSL certificates via certbot — auto-renewal is critical. Certificate chain must include: server cert + intermediate cert(s) — root cert is pre-installed in browsers. Certbot renewal runs via cron or systemd timer — check with certbot renew --dry-run. Certificates expire after 90 days (Let's Encrypt) — missed renewals cause site downtime. Certificate errors can prevent email delivery (Postfix TLS), API calls (curl), and web browsing. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: Let's Encrypt certbot renewal failed silently — no notification configured. Certificate chain incomplete — intermediate certificate missing from server config. Port 80 blocked by firewall preventing HTTP-01 ACME challenge validation. certbot installed via OS package (outdated) instead of snap (current). Web server config pointing to old certificate path after certbot renewal. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Check certificate expiry: openssl s_client -connect domain.com:443 2>/dev/null | openssl x509 -noout -dates. Test renewal: certbot renew --dry-run to verify renewal will succeed. Fix HTTP-01 challenge: ensure port 80 is open and the web server serves /.well-known/acme-challenge/. Install certbot via snap (recommended): sudo snap install --classic certbot. Check full certificate chain: openssl s_client -connect domain.com:443 -showcerts. Force renewal: certbot renew --force-renewal (use sparingly — Let's Encrypt has rate limits). If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.

Quick Answer

How do I set up auto-renewal?

Certbot via snap sets up a systemd timer automatically. Verify with systemctl status certbot.timer. For manual installs, add '0 0 * * * certbot renew --quiet' to root's crontab.

Overview

Fix Linux SSL certificate errors including Let's Encrypt renewal failures, certificate chain issues, expired certificates, and certbot troubleshooting.

Key Details

Let's Encrypt provides free SSL certificates via certbot — auto-renewal is critical
Certificate chain must include: server cert + intermediate cert(s) — root cert is pre-installed in browsers
Certbot renewal runs via cron or systemd timer — check with certbot renew --dry-run
Certificates expire after 90 days (Let's Encrypt) — missed renewals cause site downtime
Certificate errors can prevent email delivery (Postfix TLS), API calls (curl), and web browsing

Common Causes

Let's Encrypt certbot renewal failed silently — no notification configured
Certificate chain incomplete — intermediate certificate missing from server config
Port 80 blocked by firewall preventing HTTP-01 ACME challenge validation
certbot installed via OS package (outdated) instead of snap (current)
Web server config pointing to old certificate path after certbot renewal

Steps

1Check certificate expiry: openssl s_client -connect domain.com:443 2>/dev/null | openssl x509 -noout -dates
2Test renewal: certbot renew --dry-run to verify renewal will succeed
3Fix HTTP-01 challenge: ensure port 80 is open and the web server serves /.well-known/acme-challenge/
4Install certbot via snap (recommended): sudo snap install --classic certbot
5Check full certificate chain: openssl s_client -connect domain.com:443 -showcerts
6Force renewal: certbot renew --force-renewal (use sparingly — Let's Encrypt has rate limits)

Related Items

linux-ssl-tls-certificate-errors

More in Security

windows-defender-errorsWindows Defender Errors — Antivirus Not Working or Updating

Error

windows-error-0x80073b01-defender-serviceWindows Error 0x80073B01 — Windows Defender Service Failed to Start

Error

windows-bitlocker-recovery-key-errorsBitLocker Recovery Key Errors — Drive Locked and Recovery Key Not Found

Critical

mac-gatekeeper-app-blockedMac Gatekeeper — App Cannot Be Opened (Unidentified Developer)

Warning

mac-filevault-recovery-errorsMac FileVault Errors — Encryption, Decryption & Recovery Key Issues

Error

mac-keychain-errors-passwordsMac Keychain Errors — Password Prompts, Locked Keychain, and Repair Guide

Warning

Frequently Asked Questions

Certbot via snap sets up a systemd timer automatically. Verify with systemctl status certbot.timer. For manual installs, add '0 0 * * * certbot renew --quiet' to root's crontab.

Linux SSL/TLS Certificate Errors — Let's Encrypt, Chain, and Renewal Troubleshooting

About Linux SSL/TLS Certificate Errors

Quick Answer

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in Security

Frequently Asked Questions