Expired certs - auto-renew or manual

Help
1

I have SNAP version of certbot installed with auto renew on ubuntu 22.04 LTS. Due to some issues with systemd / init, i'm running nginx as process, due to this "snap application certbot.renew" have crashed/failed to renew certificates automatically.

When running "certbot certonly --force-renew" it is asking "Are you trying to change the key type of the certificate named <<removed-domain>>-0001 from ECDSA to RSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make."

Question.

1, Is there anyway to re-enable auto-renew for expired certs ?.
2, If only manual renewal is possible, what additional commands i need to pass for successful renewal.

Thanks.

My domain is:

I ran this command:

sudo certbot certificates

It produced this output:

Found the following certs:
  Certificate Name: <<removed>>-0001
    Serial Number: 529dd4a75ea30b7d03a41ec3aad78b5f852
    Key Type: ECDSA
    Domains: <<removed>>
    Expiry Date: 2026-04-09 16:26:02+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/<<removed>>-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/<<removed>>-0001/privkey.pem
  Certificate Name: <<removed>>
    Serial Number: 5d97181960be7233a43230b4d66cd33c850
    Key Type: ECDSA
    Domains: <<removed>> www.<<removed>>
    Expiry Date: 2026-04-07 11:06:12+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/<<removed>>/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/<<removed>>/privkey.pem

My web server is (include version):

nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 22.04.5 LTS

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 5.5 SNAP version. and certbot 1.21.0

2

Sure, but not sure what problem you had originally. First, does the snap version of Certbot work? Why do you also have the apt version? Anyway, what does this show:

sudo certbot --version

And this

sudo certbot renew --dry-run
4 Likes
3

Pick one, and remove the other.
[I'd pick the SNAP version]

4 Likes
4 
~$ sudo certbot --version
certbot 1.21.0

~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<<removed>>-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for <<removed>>

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: <<removed>>
  Type:   connection
  Detail: <<public-IP>>: Fetching http://<<removed>>/.well-known/acme-challenge/GjHH7L9hXIrXUntrM_buF_bIiOvfzSHpqoUT_QPkyUc: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate <<removed>>-0001 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<<removed>>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for <<removed>> and www.<<removed>>

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: <<removed>>
  Type:   connection
  Detail: <<public-IP>>: Fetching http://<<removed>>/.well-known/acme-challenge/fIeMli5mhcnv5jycqYUXTR-LxKV95MF6nBrxIfqd9oE: Timeout during connect (likely firewall problem)

  Domain: www.<<removed>>
  Type:   connection
  Detail: <<public-IP>>: Fetching http://www.<<removed>>/.well-known/acme-challenge/qwBIsyh2phSeilg7INjz1KmK4j-8OzbTWC-0rd562DY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate <<removed>> with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/<<removed>>-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/<<removed>>/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' reported error code 1
Hook 'post-hook' ran with error output:
 Job for nginx.service failed because the control process exited with error code.
 See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Server have full internet access.

Now that i have uninstalled apt version, what to do ?.

5

Based on the above it looks like you removed the snap version (5.5). Or, do you mean you now also removed v1.21 ? In the end you should be using only the snap version.

As for what to do ... the error message saying "timeout" is pretty clear that Let's Encrypt's servers cannot reach your server.

You will need to find out why those HTTP requests from LE to you are timing out. Two tools we commonly use for testing connections are https://letsdebug.net and the HTTP test at Check website performance and response : Check host - online website monitoring (not its ping and not udp, the http test). Both of those sites should show successful connections if your locals comms and server are setup right. Right now both of those probably fail just like Let's Encrypt.

The most common reason is that a firewall is blocking connections. But, many other things can cause that. Without your actual domain name or more details of your setup there isn't much more specific that we can say. Keep using those testing tools until you get successful connections and retry the cert --dry-run. If that works then try getting a fresh production cert.

Can you even reach your domain from outside your local network? Like a mobile phone with wifi disabled?

2 Likes