Let's Encrypt: Renewal and Automation

Configure automatic renewal and resolve renewal failures.

Let's Encrypt revolutionized SSL certificates by offering free, automatable certificates. However, these certificates have a short 90-day lifespan, making automatic renewal essential. A silently failing renewal can lead to unexpected expiration.

Certbot, the official Let's Encrypt client, is designed to automate renewal. But many factors can cause failures: server configuration changes, blocked ports, full disk, or DNS modifications. Understanding these causes helps prevent them.

This guide covers initial setup, renewal automation, and troubleshooting common problems. With best practices, you'll never have to deal with an unexpected Let's Encrypt expiration again.

How Let's Encrypt Works

Understanding the ACME validation process:

  • Certificate request: Certbot generates a private key and requests a certificate from Let's Encrypt authority for your domain.
  • Validation challenge: Let's Encrypt verifies you control the domain via HTTP-01 (file in .well-known) or DNS-01 (TXT record).
  • Certificate issuance: after validation, Let's Encrypt issues the certificate and Certbot installs it automatically.
  • Renewal: Certbot checks certificates daily and renews those expiring within 30 days.

Causes of Renewal Failure

Common reasons renewal fails:

  • Port 80 blocked: HTTP-01 challenge requires port 80 to be accessible from the Internet. A firewall or server config can block it.
  • Modified web configuration: the .well-known/acme-challenge directory is no longer accessible, or the web server doesn't respond correctly.
  • DNS problems: for DNS-01 challenge, TXT records aren't correctly created or propagated.
  • Server resources: full disk, insufficient memory, or Certbot unable to write temporary files.

Failure Diagnosis

How to identify why renewal failed:

  1. Check logs: consult /var/log/letsencrypt/letsencrypt.log for detailed errors from the last renewal.
  2. Test HTTP challenge: create a test file in .well-known/acme-challenge and verify it's accessible via http://domain/.well-known/acme-challenge/test.
  3. Renewal simulation: run certbot renew --dry-run to simulate renewal without modifying the certificate.
  4. Check cron: ensure Certbot cron runs with systemctl list-timers | grep certbot.

Troubleshooting Commands

Useful commands for diagnosing and resolving problems:

#!/bin/bash
# Check certificate status
certbot certificates

# Simulate renewal
certbot renew --dry-run

# Force renewal
certbot renew --force-renewal

# Check logs
tail -100 /var/log/letsencrypt/letsencrypt.log

# Check systemd timer
systemctl list-timers | grep certbot
systemctl status certbot.timer

# Test challenge accessibility
curl -I http://example.com/.well-known/acme-challenge/test

# Renew specific domain
certbot certonly --webroot -w /var/www/html -d example.com --force-renewal

# Check permissions
ls -la /etc/letsencrypt/live/

--dry-run is your best friend: it tests the entire process without touching the current certificate. Use it after any configuration change.

Best Practices

Ensure reliable renewal:

  • Test after every change: after any web server or firewall modification, run certbot renew --dry-run to validate.
  • Monitor logs: set up an alert if Certbot logs contain errors. Silent failure is the worst scenario.
  • External monitoring: use MoniTao as a safety net. You'll be alerted before expiration even if Certbot fails.
  • Renewal hooks: configure post-renewal hooks to automatically reload Nginx/Apache after a new certificate.

Let's Encrypt Checklist

  • certbot renew --dry-run succeeds
  • Certbot timer active (systemctl)
  • Port 80 accessible from Internet
  • .well-known directory accessible
  • Sufficient disk space
  • MoniTao monitoring configured

Frequently Asked Questions

Why do Let's Encrypt certificates expire after 90 days?

It's a deliberate security choice that encourages automation and limits the impact of a compromised key. With automation, it's not a problem.

Renewal failed, is my site in danger?

Not immediately. The current certificate remains valid until expiration. You have time to fix the problem, but act quickly.

Can I use Let's Encrypt for a wildcard certificate?

Yes, but wildcards require DNS-01 challenge. You need to configure your DNS registrar's API for automation.

How do I receive expiration notifications?

Let's Encrypt sends emails to the address provided during creation. But also use MoniTao for independent monitoring.

Is Certbot the only Let's Encrypt client?

No, there are many ACME clients: acme.sh, Caddy, Traefik, and others. Certbot is the most popular and well-documented.

How do I migrate to another server without interruption?

Copy /etc/letsencrypt to the new server, or request a new certificate. Renewal will work as long as DNS points to the new server.

Automate and Monitor

Let's Encrypt makes SSL certificates free and accessible. But the short lifespan requires reliable automation. Configure Certbot properly and test regularly.

Combine Certbot automation with MoniTao monitoring for maximum security. You'll be alerted before any expiration, even if automatic renewal fails.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing