problem hub
Read-only firstCertbot renewal failed
Use dry-run renewal, certificate inventory, Certbot logs, and DNS checks before editing live TLS config.
Safest first command
sudo certbot renew --dry-run
Before you run this
Expected output: Dry-run renewal result, plugin output, challenge errors, or success text.
When not to use it: Do not delete certificate files or switch authenticators before reading the exact failed challenge and affected domain.
Expected output example
Cert not due for renewal, but simulating renewal for dry run
Congratulations, all simulated renewals succeeded
How to read the result
A dry-run failure usually names HTTP-01, DNS-01, plugin, rate-limit, or webroot issues. A dry-run success is a rehearsal, not a permanent guarantee.
What to check next
Dry run fails HTTP-01
Means: The challenge file may not be reachable over HTTP.
Next step: Check domains, webroot, and Nginx/Apache routing.
Certbot manages unexpected names
Means: The renewal config may not match the intended domain set.
Next step: List certificate names and domains.
DNS points to another host
Means: Validation may reach the wrong server.
Next step: Check current A records.
Certbot renewal decision tree
Run the dry run, list managed certificates, read recent Certbot logs, and verify DNS points to this host before editing live web server config.
sudo certbot renew --dry-runsudo certbot certificatessudo tail -80 /var/log/letsencrypt/letsencrypt.logdig +short example.com A
Bad fixes to avoid
Do not delete `/etc/letsencrypt` files manually. Do not switch challenge methods during an outage without understanding DNS and webroot routing. Do not expose private keys in tickets.
Common causes
- HTTP challenge unreachable
- Wrong DNS target
- Expired plugin credentials
- Webroot mismatch
- Rate limit or account issue
What not to change yet
- Do not delete certificate files manually.
- Do not paste private key paths or account details publicly.
- Do not reload web server config before syntax testing.
Stop and escalate if
- The next step could interrupt users, remove data, or lock out access.
- The output includes secrets, customer data, or private infrastructure details.
- You cannot explain the blast radius of the repair command.
supporting commands
Command path
Guides and drills
- Nginx 403 hub Use when HTTP challenge paths are forbidden.