Issue with renewing certificate

I wanna use a staging environment to check before using production.

i have done SSL with command: certbot certonly --webroot --agree-tos --email -d mydomain -w /var/www/mydomain/

However, when I check the test environment to renew the certificate with the command: certbot renew -d mydomain --dry-run. I received a notification below: I don't know certainly that this above command is true or false because I search on the internet, most people show a congratulations notification unlike me.

My notification:
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

May everybody help me to understand this notification?

1 Like

Hi @diepgiahung096, and welcome to the LE community forum :slight_smile:

Please try:
certbot renew --dry-run

Side note: The original command shown with webroot is out of order: All the webroot parts need to come before the domain is declared.

Should be more like:

certbot certonly --agree-tos --email --webroot -w /var/www/mydomain/ -d mydomain
1 Like

when I check the certificate that still works.

app@nginx:~$ sudo certbot certificates
sudo: unable to resolve host nginx: Name or service not known
[sudo] password for app:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: mydomain
Domains: mydomain
Expiry Date: 2021-10-13 17:18:56+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/mydomain/fullchain.pem
Private Key Path: /etc/letsencrypt/live/

i have tried certbot renew --dry-run, however, it failed, I received a notification like this

app@nginx:~$ sudo certbot renew --dry-run
sudo: unable to resolve host nginx: Name or service not known
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mydomain.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain
Using the webroot path /var/www/mydomain for all unmatched domains.
Waiting for verification...
Challenge failed for domain mydomain http-01 challenge for mydomain
Cleaning up challenges
Attempting to renew cert (mydomain) from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)


  • The following errors were reported by the server:

    Domain: mydomain
    Type: connection
    Detail: Fetching
    Invalid empty hostname in redirect target

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

1 Like

Check your configs and ensure the webroot being used by certbot is the same one being served by nginx for that domain.
Also pay close attention to the redirection and the nginx HTTPS config.

1 Like

i have some question so may you help me to explain them ?.
I read information on the internet and i wonder that using certbot renew --dry-run command is only to check what is wrong certification or right certificate. If it is right i will use certbot renew command to renew my cert that is about to expire.

1 Like

certbot renew --dry-run is to check if certificates can be renewed.
If any renewal was not possible, it should show entries in the logs as to any reason(s) for such failure(s).

certbot renew is the correct command to renew expiring certs.
It should be run on a schedule at least once a day - recommended twice a day.
Most of the time it will just check but have nothing to do; while certs are not nearing their expirations.


thank you so much.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.