Back to problems

problem hub

Read-only first

Certbot renewal failed

Use dry-run renewal, certificate inventory, Certbot logs, and DNS checks before editing live TLS config.

Safest first command

sudo certbot renew --dry-run

Before you run this

Expected output: Dry-run renewal result, plugin output, challenge errors, or success text.

When not to use it: Do not delete certificate files or switch authenticators before reading the exact failed challenge and affected domain.

Expected output example

Cert not due for renewal, but simulating renewal for dry run
Congratulations, all simulated renewals succeeded

How to read the result

A dry-run failure usually names HTTP-01, DNS-01, plugin, rate-limit, or webroot issues. A dry-run success is a rehearsal, not a permanent guarantee.

What to check next

Dry run fails HTTP-01

Means: The challenge file may not be reachable over HTTP.

Next step: Check domains, webroot, and Nginx/Apache routing.

Run Certbot Renewal Dry Run

Certbot manages unexpected names

Means: The renewal config may not match the intended domain set.

Next step: List certificate names and domains.

Inspect Certbot Certificate Inventory

DNS points to another host

Means: Validation may reach the wrong server.

Next step: Check current A records.

Check Domain A Records

Certbot renewal decision tree

Run the dry run, list managed certificates, read recent Certbot logs, and verify DNS points to this host before editing live web server config.

  1. sudo certbot renew --dry-run
  2. sudo certbot certificates
  3. sudo tail -80 /var/log/letsencrypt/letsencrypt.log
  4. dig +short example.com A

Bad fixes to avoid

Do not delete `/etc/letsencrypt` files manually. Do not switch challenge methods during an outage without understanding DNS and webroot routing. Do not expose private keys in tickets.

Common causes

  • HTTP challenge unreachable
  • Wrong DNS target
  • Expired plugin credentials
  • Webroot mismatch
  • Rate limit or account issue

What not to change yet

  • Do not delete certificate files manually.
  • Do not paste private key paths or account details publicly.
  • Do not reload web server config before syntax testing.

Stop and escalate if

  • The next step could interrupt users, remove data, or lock out access.
  • The output includes secrets, customer data, or private infrastructure details.
  • You cannot explain the blast radius of the repair command.

supporting commands

Command path

Guides and drills