What's Actually Happening
Let's Encrypt SSL certificates are not renewing automatically. Certificates expire causing SSL errors on the website.
The Error You'll See
```bash $ certbot certificates
Found the following certs: Certificate Name: example.com Expiry Date: 2024-01-01 (EXPIRED) ```
Why This Happens
- 1.Renewal hook failing
- 2.Port 80 blocked
- 3.DNS changes
- 4.Rate limits
- 5.Certbot service stopped
Step 1: Check Certificate Status
bash
certbot certificates
openssl s_client -connect example.com:443 | openssl x509 -noout -datesStep 2: Dry Run Renewal
bash
certbot renew --dry-runStep 3: Check Port 80
bash
nc -zv example.com 80
curl http://example.com/.well-known/acme-challenge/testStep 4: Check Firewall
bash
iptables -L -n | grep 80
firewall-cmd --list-ports
ufw statusStep 5: Check Webroot
```bash # Nginx: cat /etc/nginx/sites-enabled/default | grep acme
# Apache: cat /etc/apache2/sites-enabled/000-default.conf | grep acme ```
Step 6: Force Renewal
bash
certbot renew --force-renewal
systemctl reload nginx
systemctl reload apache2Step 7: Check Certbot Timer
bash
systemctl status certbot.timer
systemctl enable certbot.timer
systemctl start certbot.timerStep 8: Check Logs
bash
tail -f /var/log/letsencrypt/letsencrypt.log
journalctl -u certbot --since todayStep 9: Check Rate Limits
bash
# Let's Encrypt limits:
# 5 certificates per domain per week
# 50 certificates per account per week
# Check: https://crt.sh/Step 10: Verify Auto-Renewal
bash
certbot renew --dry-run
systemctl list-timers | grep certbotRelated Issues
- [Fix SSL Certificate Chain Incomplete](/articles/fix-ssl-certificate-chain-incomplete)
- [Fix SSL Certificate Not Trusted](/articles/fix-ssl-certificate-not-trusted)