Installing Let’s Encrypt SSL is only the first step in securing your website. The real responsibility begins after that—making sure your SSL certificates never expire.
Let’s Encrypt certificates are valid for 90 days only. If auto renewal fails, browsers will immediately start showing security warnings, APIs may stop working, and user trust takes a hit. This is why verifying and monitoring Let’s Encrypt auto renewal is critical for any production server.
In this article, we’ll explain how Let’s Encrypt auto renewal works on Ubuntu with Nginx, how to verify it, how to test it safely, and how to troubleshoot real-world renewal failures.
If you haven’t installed Let’s Encrypt yet, make sure you complete that first using our detailed guide here:
👉 https://infrarunbook.com/article/how-to-install-lets-encrypt-and-use-it-with-nginx-on-ubuntu
How Let’s Encrypt Auto-Renewal Actually Works
Let’s Encrypt itself does not renew certificates automatically.
That responsibility is handled by Certbot.
On Ubuntu:
- Certbot installs a systemd timer
- The timer runs twice daily
- It checks certificates expiring in ≤30 days
- If renewal is needed, it renews silently
- Nginx is reloaded automatically
👉 If everything is set up correctly, no manual action is required.
Step 1: Confirm Certbot Is Installed
First, verify Certbot is present:
certbot --version
Expected output:
certbot X.Y.Z
If Certbot is missing, install it:
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
Step 2: Check Certbot Systemd Timer (Most Important Step)
This is the heart of auto-renewal.
Check the Timer Status
systemctl list-timers | grep certbot
You should see output similar to:
certbot.timer loaded active waiting
If this exists → auto-renewal is enabled.
Check Detailed Timer Info
systemctl status certbot.timer
Look for:
Active: active (waiting)
- Next trigger time
If the timer is disabled, enable it:
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
Step 3: Perform a Safe Dry-Run Renewal Test
This is the single most important test you can do.
sudo certbot renew --dry-run
What This Does
- Simulates certificate renewal
- Uses Let’s Encrypt staging servers
- Makes no real changes
- Validates firewall, DNS, and Nginx config
Expected Output
Congratulations, all simulated renewals succeeded
If this fails, real renewal will also fail.
Step 4: Verify Certificate Expiry Date
Check current certificate expiry:
sudo certbot certificates
Or directly:
openssl x509 -in /etc/letsencrypt/live/infrarunbook.com/fullchain.pem -noout -dates
You’ll see:
notAfter=...
Certbot renews automatically when ≤30 days remain.
Step 5: Understand Where Renewal Logs Live
When renewal fails, logs tell you exactly why.
Main log file:
/var/log/letsencrypt/letsencrypt.log
Check recent activity:
sudo tail -f /var/log/letsencrypt/letsencrypt.log
Never troubleshoot renewal without reading this log first.
Step 6: Firewall Requirements for Auto Renewal
This is a very common mistake.
Even if you force HTTPS:
- Port 80 must remain open
- Let’s Encrypt uses HTTP challenge by default
Ensure firewall allows HTTP:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload
⚠️ Blocking port 80 = renewal failure.
Step 7: Nginx Configuration Requirements
Certbot renewal depends on:
- Correct
server_name
- Accessible HTTP server block
- No broken redirects
Your HTTP block should exist:
server {
listen 80;
server_name infrarunbook.com www.infrarunbook.com;
return 301 https://infrarunbook.com$request_uri;
}
Even though it redirects, it must exist.
Step 8: Common Auto-Renewal Failures (Real World)
Let’s cover what actually breaks renewals.
❌ Failure 1: DNS Changed or Misconfigured
Symptoms
- Renewal fails suddenly
- Domain no longer points to server
Fix
dig infrarunbook.com
Ensure IP matches your server.
❌ Failure 2: Port 80 Closed
Symptoms
- Certbot timeout errors
- Validation failures
Fix
sudo ufw allow 80/tcp
❌ Failure 3: Nginx Not Running
Symptoms
- Certbot cannot serve challenge files
Fix
sudo systemctl status nginx
sudo systemctl start nginx
❌ Failure 4: Expired Certificate Already Installed
Fix
Force renewal:
sudo certbot renew --force-renewal
Then reload Nginx.
Step 9: Reload Nginx After Renewal (If Needed)
Certbot usually reloads Nginx automatically.
But you can verify:
sudo systemctl reload nginx
Never restart unless required—reload is enough.
Step 10: Optional – Add Renewal Monitoring (Recommended)
For production systems, you should monitor renewal success.
Options:
- Cron job alert on failure
- Log monitoring
- External uptime / SSL monitors
Even a simple weekly check helps avoid surprises.
Best Practices for Let’s Encrypt Auto Renewal
- Always test with
--dry-run
- Never block port 80
- Keep Nginx configs clean
- Don’t delete
/etc/letsencrypt
- Monitor logs monthly
- Combine with HSTS only after stable renewal
Final Thoughts
Let’s Encrypt auto-renewal on Ubuntu with Nginx is extremely reliable—if it’s set up correctly. Most certificate outages happen not because Let’s Encrypt fails, but because:
- Firewalls block port 80
- DNS changes silently
- Nginx configs are broken
Once auto-renewal is verified and monitored, SSL becomes a set-and-forget system, exactly how it should be.
For infrarunbook.com, this completes the SSL lifecycle:
- Install Let’s Encrypt ✅
- Redirect HTTP → HTTPS ✅
- Enable HSTS (carefully) ✅
- Ensure auto-renewal ✅