Renew certificates

I set up my certificates many months ago together with a cron job to renew them automatically. I’ve been receiving warnings that my certificates need renewing and now my site is ^%#$*!#$!

Has something changed?



Nothing that should disable renewing.

You should post commands and elaborate logs with the exact error message to debug this problem further.

1 Like

Fair call but I’ll need my hand held, I’m afraid.

This is the cron command:
0 6 * * * /etc/letsencrypt/certbot-auto renew --text >>
/etc/letsencrypt/certbot/certbot-cron.log && sudo service nginx reload

What logs can i show you, please?

Thanks for your help.


That one please. 

OK but it’s massive. Is there a command that’ll give you what you need?

Here’s the top 500 lines:

sudo head -500 /etc/letsencrypt/certbot/certbot-cron.log

The command appends the log to the file, so the most recent lines would be more helpful than the beginning. Shouldn’t be too difficult to parse yourself, just check the bottom of the file. If you don’t know what all the lines mean, you can post the last 50 or so here.

Try this:
sudo tail -n 50 /etc/letsencrypt/certbot/certbot-cron.log

404 Not Found

404 Not Found


To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Are those 50 lines?

Might as wel post a lot more.

But I’m guessing it tries to access the challenge file in the /.well-known/acme-challenge/ directory, which results in a 404 error.

Did you change the document root of the hosts?

Did I change the document root of the hosts? Possibly. It’s awhile ago
since I set all this up following a ‘howto’ at

200 lines I hope.

sudo tail -n 200 /etc/letsencrypt/certbot/certbot-cron.log
[sudo] password for john:


I’m trying to follow your hint about .well-known. My directory structure is
as follows. Should .well-known be in wordpress?



cd /data/
.well-known/ wordpress/
cd /data/

drwxr-xr-x 5 www-data nogroup 4096 Dec 4 16:33 .
drwxr-xr-x 4 www-data www-data 4096 Sep 16 18:53 …
-rw-r–r-- 1 www-data nogroup 418 Sep 25 2013 index.php
-rw-r–r-- 1 www-data nogroup 19935 Dec 4 16:32 license.txt
-rw-r–r-- 1 www-data nogroup 7413 Dec 4 16:32 readme.html
-rw-r–r-- 1 www-data nogroup 5434 Dec 4 16:32 wp-activate.php
drwxr-xr-x 9 www-data nogroup 4096 Dec 4 16:32 wp-admin
-rw-r–r-- 1 www-data nogroup 364 Dec 19 2015 wp-blog-header.php
-rw-r–r-- 1 www-data nogroup 1627 Aug 29 2016 wp-comments-post.php
-rw-rw-rw- 1 www-data www-data 3138 Sep 16 19:23 wp-config.php
-rw-r–r-- 1 www-data nogroup 2853 Dec 16 2015 wp-config-sample.php
drwxr-xr-x 7 www-data nogroup 4096 Dec 4 16:33 wp-content
-rw-r–r-- 1 www-data nogroup 3669 Dec 4 16:32 wp-cron.php
drwxr-xr-x 18 www-data nogroup 12288 Dec 4 16:32 wp-includes
-rw-r–r-- 1 www-data nogroup 2422 Nov 21 2016 wp-links-opml.php
-rw-r–r-- 1 www-data nogroup 3306 Dec 4 16:32 wp-load.php
-rw-r–r-- 1 www-data nogroup 36583 Dec 4 16:32 wp-login.php
-rw-r–r-- 1 www-data nogroup 8048 Jan 11 2017 wp-mail.php
-rw-r–r-- 1 www-data nogroup 16246 Dec 4 16:32 wp-settings.php
-rw-r–r-- 1 www-data nogroup 30071 Dec 4 16:32 wp-signup.php
-rw-r–r-- 1 www-data nogroup 4620 Dec 4 16:32 wp-trackback.php
-rw-r–r-- 1 www-data nogroup 3065 Sep 1 2016 xmlrpc.php

Assuming that’s where your document root is (which it seems to be), yes.

However, moving it won’t help (and isn’t necessary). Rather, you’ll need to update the renewal configuration so that certbot knows where it should be. You can do this by editing the renewal configuration file in /etc/letsencrypt/renewal/ to change the webroot path to /data/ and then running certbot-auto renew again. It should then recreate the .well-known directory in the correct location.

Alternatively, you can also do it by re-running the command that you used to obtain the certificate originally (but with the correct new webroot path), if you remember it or can find it in your shell history.

Since you’re using certbot-auto and should therefore have a recent version, another option you might try is the new --nginx plugin. It should work without you needing to specify the webroot, which should be safer if you move it again in the future, and should also automatically reload nginx after a successful renewal so you don’t have to do that directly from the cron job.

Thanks John. I’ll try your first idea. Your second option looks a little
too adventurous for me.


Hi John,

Small hiccup. certbot-auto renew gives command not found.


I guess it should be /etc/letsencrypt/certbot-auto renew as that’s what’s in your cron job. Or use the full path to wherever certbot-auto is installed.

If it’s no longer installed you can download it from (I’m guessing you’re on Debian?)

Congratulations, all renewals succeeded. The following certs have been
renewed :slight_smile:

Thank you both. A great help.


Great, glad you got your certificate renewed!

Looks like you still need to reload nginx to make it pick up the renewed cert, though.

Ah! Trap for noobs :wink:



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.