For Certbot Apache users whose renewals started to fail recently

A number of people on the forum have had configurations which have worked for a long time but which started having renewal failures recently.

There are many reasons that certificates could fail to renew, and not all problems have the same cause. But one important thing to know is that Certbot's behavior has changed in recent releases. An old method that many Certbot users used to prove control over their domain names, called TLS-SNI-01, is being disabled by the Let's Encrypt CA. Certbot releases since 0.28.0 have made a series of changes to help users switch away from this method to a different method called HTTP-01.

The main post on this forum with details about these changes is found at

These changes have been successful for most users. But in a few cases, if your Certbot was recently updated to 0.28.0 or later, you may have experienced renewal failures. There are two especially common reasons for this:

  • The HTTP-01 method uses port 80 instead of port 443 for validation. If you have a firewall (or a residential ISP) that blocks port 80, you can't use this method. This problem will typically result in an error about a connection timeout or refused connection during validation. In this case, you should ensure that inbound port 80 is unblocked in your configuration.

  • There is a known issue in versions of Certbot prior to 0.31.0 that means that some particular Apache configurations can't pass HTTP-01, although others can. This problem will typically result in a "404 not found" error during validation. In this case, if you can update to Certbot 0.31.0 or later, the chance of Certbot successfully completing the HTTP-01 challenge is increased.

I'm making this post because these are the most common recent problems with renewal for people who use Certbot and Apache. If none of this advice applies to your situation, please feel free to open your own Help thread here on the forum and fill out the form with the details of your problem.

2 Likes