Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: marineplan.net

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/marineplan.net.conf

Renewing an existing certificate for marineplan.net
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Failed to renew certificate marineplan.net with error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/marineplan.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx nginx/1.22.1 for https, dedicated http implementation on :8080

The operating system my web server runs on is (include version):
Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is:
netcup

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.1.0

So it all worked for months and this morning I found https failed, checked the certificate and it was stale. Not sure why the 80 port or apache is doing here, i do not use apache, not port 80.

Well, there's a lot to sort out here.

First, a Certbot renew requests a cert using the same options as used for the previous successful cert request. So, at one point Apache must have been successful for Certbot renew to try again.

Second, while you may not "use" port 80 an HTTP Challenge requires something to respond to an HTTP request on port 80.

Third, your nginx server is replying on port 80 and port 8080. Nothing technically wrong there apart from you said you don't use port 80. And, why would use use 8080 if 80 was working?

To me it looks like you had Apache on port 80 at one time but now nginx is uses that port so Apache cannot bind to it to handle the cert challenge.

You don't need Apache to get a cert. You can use that nginx server. But, the cert must be re-requested using something compatible with nginx.

It would help to better understand what you meant by not using port 80 or Apache.

Thanks for the swift reply. The application/implementation just runs on port n 8080 which was a choice from the past and never gave trouble. Apache was never installed on the instance, by the way. http:80 always propagated to https without issues, i expect this was an nginx feature.

What concerns me a bit is port 80 is taken, so the challenge fails?

PS For me as a pure coder this is kind of magic, so forgive me if I use the wrong word or assume some logic.

Works:

Fails:
https://marineplan.net/api/info.html?id=127959&language=en

with

net::ERR_CERT_DATE_INVALID
Subject: marineplan.net

Issuer: E8

Expires on: 14 dec 2025

Current date: 16 dec 2025

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIDiTCCAw+gAwIBAgISBm51qh4F5KoOw4aHHAfdoGJgMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
ODAeFw0yNTA5MTUxNjM1MzhaFw0yNTEyMTQxNjM1MzdaMBkxFzAVBgNVBAMTDm1h
cmluZXBsYW4ubmV0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyPDxLQgnVTPf
5pJAlcibKBINv/qSG87YPqDr5f8QJtIjrYTyVvgsG3kyA/230aqDgaB0cdVxRVVU
odfSJtvP+aOCAhwwggIYMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUb0UZA5V6jWR0
DHwaZiMaCeCT6rMwHwYDVR0jBBgwFoAUjw0TovYuftFQbDMYOF1ZjiNykcowMgYI
KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTguaS5sZW5jci5vcmcv
MBkGA1UdEQQSMBCCDm1hcmluZXBsYW4ubmV0MBMGA1UdIAQMMAowCAYGZ4EMAQIB
MC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9lOC5jLmxlbmNyLm9yZy85Ny5jcmww
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgCkQsUGSWBhVI8P1Oqc+3otJkVNh6l/
L99FWfYnTzqEVAAAAZlOcPBfAAAEAwBHMEUCICm28p81srTlZX173iqmD6BMgkyU
HAq9Lp+htGvZ12KUAiEA017v+JHBL13misdfKXsMAdMy1euw28qOCE1u+rBMbm4A
dgAN4fIwK9MNwUBiEgnqVS78R3R8sdfpMO8OQh60fk6qNAAAAZlOcPgvAAAEAwBH
MEUCIQDZcds/22mz4q7r7WvI/1iKYC/KZcCqpmJmEG9vdSkMUgIgCajgg2n9WPmJ
GGqncY+tOxvGLKhMqr3yAIy9wcHPwZAwCgYIKoZIzj0EAwMDaAAwZQIxAMGGgj1V
GlKEK2OX6MbNuDa9jp9q4IR8Zzh1VQ0s5Ge5+uKjSeGd4njtkyl03WKV2AIwOcJT
p8aMYbOClGaQo7TCO5tFo3zlAQEGEkcLs67w8fFjiGbGxPX+l3EDBs0C4q94
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVjCCAj6gAwIBAgIQY5WTY8JOcIJxWRi/w9ftVjANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQswCQYDVQQDEwJFODB2MBAGByqGSM49AgEGBSuBBAAiA2IABNFl8l7c
S7QMApzSsvru6WyrOq44ofTUOTIzxULUzDMMNMchIJBwXOhiLxxxs0LXeb5GDcHb
R6EToMffgSZjO9SNHfY9gjMy9vQr5/WWOrQTZxh7az6NSNnq3u2ubT6HTKOB+DCB
9TAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFI8NE6L2Ln7RUGwzGDhdWY4j
cpHKMB8GA1UdIwQYMBaAFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzATBgNVHSAE
DDAKMAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veDEuYy5sZW5j
ci5vcmcvMA0GCSqGSIb3DQEBCwUAA4ICAQBnE0hGINKsCYWi0Xx1ygxD5qihEjZ0
RI3tTZz1wuATH3ZwYPIp97kWEayanD1j0cDhIYzy4CkDo2jB8D5t0a6zZWzlr98d
AQFNh8uKJkIHdLShy+nUyeZxc5bNeMp1Lu0gSzE4McqfmNMvIpeiwWSYO9w82Ob8
otvXcO2JUYi3svHIWRm3+707DUbL51XMcY2iZdlCq4Wa9nbuk3WTU4gr6LY8MzVA
aDQG2+4U3eJ6qUF10bBnR1uuVyDYs9RhrwucRVnfuDj29CMLTsplM5f5wSV5hUpm
Uwp/vV7M4w4aGunt74koX71n4EdagCsL/Yk5+mAQU0+tue0JOfAV/R6t1k+Xk9s2
HMQFeoxppfzAVC04FdG9M+AC2JWxmFSt6BCuh3CEey3fE52Qrj9YM75rtvIjsm/1
Hl+u//Wqxnu1ZQ4jpa+VpuZiGOlWrqSP9eogdOhCGisnyewWJwRQOqK16wiGyZeR
xs/Bekw65vwSIaVkBruPiTfMOo0Zh4gVa8/qJgMbJbyrwwG97z/PRgmLKCDl8z3d
tA0Z7qq7fta0Gl24uyuB05dqI5J1LvAzKuWdIjT1tP8qCoxSE/xpix8hX2dt3h+/
jujUgFPFZ0EVZ0xSyBNRF3MboGZnYXFUxpNjTWPKpagDHJQmqrAcDmWJnMsFY3jS
u1igv3OefnWjSQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

Certificate Transparency:

SCT DigiCert 'Sphinx2025h2' Log (Embedded in certificate, Verified)

SCT Let's Encrypt 'Oak2025h2' (Embedded in certificate, Verified)

Well, we better take a look at the Certbot renewal config file then because Certbot thinks you did

Please show contents of: /etc/letsencrypt/renewal/marineplan.net.conf

Perhaps. Your nginx today replies to HTTP on port 80 and redirects to HTTP (port 80) to your www subdomain

curl -i http://marineplan.net
HTTP/1.1 301 301
Server: nginx/1.22.1
Location: http://www.marineplan.com

But, nginx does not redirect from HTTP to HTTPS today. Instead it just handles the port 80 request. Interestingly, while it says "Server: nginx" the page shown is a default Apache page ! Possibly you have nginx using a root folder value that points to where an Apache used to be?

curl -i http://www.marineplan.net
HTTP/1.1 200 OK
Server: nginx/1.22.1

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Apache2 Debian Default Page: It works</title>

There is an Apache on your system. We know this because the error didn't say Apache program wasn't found. The error says Apache started but could not bind to port 80 (because nginx is using it).

renew_before_expiry = 30 days

version = 2.1.0
archive_dir = /etc/letsencrypt/archive/marineplan.net
cert = /etc/letsencrypt/live/marineplan.net/cert.pem
privkey = /etc/letsencrypt/live/marineplan.net/privkey.pem
chain = /etc/letsencrypt/live/marineplan.net/chain.pem
fullchain = /etc/letsencrypt/live/marineplan.net/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 2ec71f50fe13f182d67a84242df27b76
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Thanks for the Apache check (I could have done that myself - oops). Apparently it was pre-installed in the Debian instance I rented. Sorry for that. I do not need it. Would de-installing it bring us closer to a resolution? My http server at 8080 is just a java thing we wrote, listening to 8080 without any 3rd party dependencies.

No, we can use your nginx server to get the cert. It is already listening on port 80 anyway

Sadly, I've run out of time today so perhaps someone else can help you. Or, perhaps me sometime tomorrow.

Whoever it is that helps would benefit from seeing the nginx server block for port 80 for that domain.

Or, show your entire nginx config with below command. It will be long. An upper case T is essential

sudo nginx -T

Thanks. Here is the -T dump.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/avif                            avif;
    image/png                             png;
    image/svg+xml                         svg svgz;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/webp                            webp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;

    font/woff                             woff;
    font/woff2                            woff2;

    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.oasis.opendocument.graphics        odg;
    application/vnd.oasis.opendocument.presentation    odp;
    application/vnd.oasis.opendocument.spreadsheet     ods;
    application/vnd.oasis.opendocument.text            odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation    pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet    xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.wap.wmlc              wmlc;
    application/wasm                      wasm;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/api.marineplan.net:
server {
        listen 80;
        listen [::]:80;
                server_name api.marineplan.net;
        location / {
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header   Host             $host;
            proxy_pass http://127.0.0.1:8080/;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/marineplan.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/marineplan.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

Small note: Maybe good to remember that the whole setup worked before the cert timed out today/yesterday. There was no manual intervention.

Thanks to Mike and hopefully somebody else can assist today/tomorrow. Grateful for all help!

Issue has been resolved, resolution will be posted soon for reference.

Does not look resolved to me. You still have an expired cert and HTTP requests are not getting redirected to HTTPS.

And, whatever you did I hope it involved creating a server block for your marineplan.net and its www subdomain. Requests to those domains are using your default server block instead.

I also suggest splitting your single server block for api.marineplan.net into two blocks if you still need that.

You have one server block listening on both port 80 and 443. While that can work it is difficult to get right even for a skilled admin. Separate server blocks for port 80 and 443 will be much easier to manage.

Thanks for your concern. I asked a friend to make sure at least the cert is updated by not using Apache but Nginx. Apache can go as it is useless to me, it was not envisioned and happened to be in the way, Nginx by itself is enough and the less moving parts, the better.

Maybe good to know this is not a regular web server with www subdomain, it is an API endpoint with a few html pages rendered for a very specific purpose. A lesser concern is http traffic, I can look into that separately, but to be honest there is no http traffic needed nor expected. It would be a nice to have just to be safe for any unforeseen scenario.

Not sure about the expiry, E8 says it is 2026-03-16 for the subdomainless domain, which is proper I believe? It should have been api.marineplan.com but that went wrong somehow and an empty subdomain is fine, it will change one day.

Please understand I do value any feedback and will take it into consideration.

That's fine but you described marineplan.net as the domain needing a cert. That led me astray.

If you only need a cert for the api subdomain that's different. I would still split the server block for that domain into two separate ones as I described previously.

The cert used for connections to the api subdomain is not correct. The cert being used is only for your apex domain.

We should also assess what cert configs Certbot has for you. Please show output of this:

sudo certbot certificates

For actual API requests that may be so. But, the method easiest to use to get a cert relies on properly functioning HTTP on port 80

Maybe I was not clear. We did originally envision the api subdomain, but we left it out, so we use no subdomain at all.

Some settings mention it but we do not use it. It was by accident but not harmful. We left it as is and when we are bored, we can pick it up from there.

The 80 traffic we do not use ourselves, that's what I tried to say. Of course it should work for the cert update, and it did.

..
Saving debug log to /var/log/letsencrypt/letsencrypt.l
og

Found the following certs:
Certificate Name: marineplan.net
Serial Number: 6326b038e1ff117ed8b395e728ba8cc9385
Key Type: ECDSA
Domains: marineplan.net
Expiry Date: 2026-03-16 06:53:25+00:00 (VALID: 89
days)
Certificate Path: /etc/letsencrypt/live/marineplan
.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/marineplan
.net/privkey.pem

root@v2202509300244382072:~#

..

Crappy formatting due to a 3 steps say on my phone on an island in Thailand at midnight...

Not trying to be argumentative but the only server block you showed with a domain name was for your api subdomain.

You had a default server block for port 80 that would process HTTP requests for any other domain name. But, it is generally poor practice to rely on that.

And, unless you changed your nginx config since you showed it, the server block for your api subdomain is the default for any HTTPS request on port 443. Why? Because it is the only server block you have listening on that port. That is just how nginx works.

I'm pretty sure I know what you are trying to do (I run api servers myself). But, the nginx layout is, um, really messy

If you clean that up and want me to review it have at it. I'm not sure what more I can offer at this point.

To test whether whatever you did will work for a cert renew run:

sudo certbot renew --dry-run

It will not affect your nginx config or your existing production certs.