Let's Encrypt renewal Understand and verify automatic Let's Encrypt certificate renewal via Certbot on a HolyCloud VPS. ~7 min read Beginner #letsencrypt #certbot #ssl #renewal Let's Encrypt renewal Let's Encrypt certificates are valid for 90 days. On a HolyCloud Linux VPS configured with Certbot, renewal is normally automatic via systemd or cron. This guide explains how to verify, test, and fix renewal failures. Prerequisites HolyCloud VPS with Certbot already installed (see Nginx + Certbot tutorial) Certificates obtained in webroot or nginx mode Domain still pointing to the VPS IP Ports 80 and 443 reachable from the Internet Understand the lifecycle | Element | Detail | |--------|--------| | Duration | 90 days | | Recommended renewal | 30 days before expiry | | Tool | certbot renew | | Scheduling | systemd timer certbot.timer or cron | List your certificates: sudo certbot certificates Note Expiry Date and Certificate Path (often /etc/letsencrypt/live/votredomaine.fr/). Step 1: check the systemd timer On recent Ubuntu/Debian: systemctl list-timers | grep certbot sudo systemctl status certbot.timer Enable if needed: sudo systemctl enable certbot.timer sudo systemctl start certbot.timer Next run: systemctl list-timers certbot.timer Step 2: dry-run renewal test Simulate renewal without changing production certificates: sudo certbot renew --dry-run Expected result: Congratulations, all simulated renewals succeeded. On failure, read the log: sudo tail -100 /var/log/letsencrypt/letsencrypt.log Step 3: manual renewal (if needed) If the timer failed or before maintenance: sudo certbot renew sudo systemctl reload nginx With Apache: sudo certbot renew sudo systemctl reload apache2 Post-renewal hook (automatic Nginx reload) — file /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh: #!/bin/bash systemctl reload nginx sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh Step 4: expiry monitoring Check the date with OpenSSL: echo | openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -noout -dates Simple alert script (adapt for email or monitoring): DOMAIN=www.example.com EXPIRY=$(echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2) echo "Expiration : $EXPIRY" Common failure causes on HolyCloud VPS DNS: domain no longer points to the VPS IP after migration Firewall: port 80 closed (HTTP-01 challenge) Nginx: virtual host changed, wrong server_name Let's Encrypt rate limit: too many attempts — wait or use staging for tests: sudo certbot renew --dry-run --server https://acme-staging-v02.api.letsencrypt.org/directory Revoked certificate: re-issue with sudo certbot certonly --nginx -d votredomaine.fr Step 5: alternative cron (if no timer) Check /etc/cron.d/certbot or add: 0 3 * * * root certbot renew --quiet --deploy-hook "systemctl reload nginx" Verification sudo certbot certificates sudo certbot renew --dry-run curl -vI https://www.example.com 2>&1 | grep -i expire Need help? Dry-run OK but site errors: reload Nginx (sudo nginx -t && sudo systemctl reload nginx) Challenge failed: verify the domain resolves to the IP shown in the HolyCloud customer area HolyCloud support: certbot certificates output, letsencrypt.log excerpt, dig +short votredomaine.fr result Continue reading Previous article LAMP stack (Apache, MariaDB, PHP) Read Next article Manage disk space (df, du, ncdu) Read
FR