patternjavascriptMajor
Certbot SSL renewal: automatic renewal with systemd timer
Viewed 0 times
certbotletsencryptssl renewalhttpscertificate expirysystemd timer
linuxubuntudebian
Error Messages
IMPORTANT NOTES: - The following errors were reported by the server: Domain: example.com Type: connection Detail: Fetching http://example.com/.well-known/acme-challenge/...: Connection refusedProblem
Let's Encrypt certificates expire every 90 days. Manual renewal is error-prone and can cause downtime if forgotten.
Solution
Use certbot's built-in systemd timer instead of a cron job:
Verify the timer fires twice daily:
# Check that the timer is active
systemctl status certbot.timer
# If not active, enable it
systemctl enable --now certbot.timer
# Test renewal without actually renewing
certbot renew --dry-run
# If using nginx, add a deploy hook to reload nginx after renewal
echo '#!/bin/bash
nginx -s reload' > /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.shVerify the timer fires twice daily:
systemctl list-timers | grep certbotWhy
The certbot package on modern Debian/Ubuntu installs a systemd timer by default. Using it is more reliable than custom cron jobs and handles edge cases like renewing multiple domains.
Gotchas
- Port 80 must be open for HTTP-01 challenge — firewall rules can silently block renewal
- If using --standalone mode, the web server must be stopped during renewal; use --nginx or --apache plugin instead
- Wildcard certs require DNS-01 challenge, which needs API access to your DNS provider
- Check /var/log/letsencrypt/letsencrypt.log if renewal fails
Revisions (0)
No revisions yet.