Repeated SSL Certificate Issuance and Renewal Failures for a Restaurant Menu Website Using Let’s Encrypt

I am experiencing persistent SSL certificate issues on a restaurant menu website that is hosted on a VPS and served through a standard web stack (Nginx with a reverse proxy setup). The site previously worked fine over HTTPS, but recently browsers began showing security warnings indicating that the certificate is invalid or expired. I attempted to reissue the certificate using Let’s Encrypt, but the process fails intermittently depending on the validation method used. Sometimes the certificate appears to be issued successfully, yet the browser still reports errors such as “certificate not trusted” or “common name invalid.” This inconsistency makes it difficult to determine whether the problem lies with the certificate itself, server configuration, or DNS resolution.

One of the main complications seems to be related to domain and subdomain handling. The website uses both the root domain and a www subdomain, and traffic is redirected between them depending on the request. During the ACME challenge process, HTTP-01 validation occasionally fails with errors suggesting that the challenge file cannot be fetched, even though the path appears accessible when tested manually. In other attempts, DNS-01 validation succeeds, but the issued certificate does not appear to cover all expected hostnames. I am unsure whether redirect rules, virtual host configuration, or incorrect challenge responses are causing these failures.

Another concern is the interaction between the SSL configuration and caching layers. The site is fronted by a CDN and also uses server-side caching for performance. After renewing or reissuing the certificate, some clients continue to receive the old certificate while others receive the new one, leading to mixed reports from users. Clearing caches and restarting services only partially resolves the issue. I am not sure whether the CDN is caching the previous certificate, whether the origin server is serving different certificates based on SNI, or whether there is a mismatch between the full chain and intermediate certificates being served.

The renewal process itself is also unreliable. Automated renewals are set up using a standard ACME client, but renewal attempts sometimes fail silently or produce warnings without clear errors. Logs occasionally mention rate limits, challenge failures, or authorization reuse issues, but the messages are not consistent across attempts. Since this website is updated frequently and expected to be accessible at all times, manual intervention for certificate renewal is not a sustainable solution. I would like to understand how to properly diagnose renewal failures and ensure that automated renewals work reliably without risking downtime.

Additionally, I am concerned about server configuration details such as certificate chain ordering, intermediate certificates, and TLS protocol settings. Online SSL testing tools sometimes report missing intermediates or incomplete chains, even though the certificate files appear correct on disk. I am using modern TLS settings and have disabled deprecated protocols, but I am unsure whether this could be contributing to compatibility issues with certain clients. Clear guidance on verifying correct chain installation and avoiding common configuration mistakes would be very helpful.

I am looking for advice on best practices for managing Let’s Encrypt certificates for a production website that serves dynamic content and uses redirects, caching, and possibly multiple domains. I want to ensure that the certificate setup is robust, future-proof, and easy to maintain as the site evolves. Any insights from the community on diagnosing validation failures, avoiding renewal issues, and ensuring consistent certificate delivery across all clients would be greatly appreciated. Sorry for long post

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it (and make our life a lot harder). In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I assume you are still working on the https://thetexasroadhousemenu.com/ site from your previous thread. I see you still have your domain proxied at Cloudflare.

In that setup, Cloudflare manages the HTTPS connection (and cert) between your user's browser and Cloudflare "edge" servers. It is highly unlikely Cloudflare is getting this wrong. If there is a problem with the HTTPS connection between the Cloudflare "edge" and your Origin server a very different kind of error is shown. It is not subtle

Right now I see HTTP and HTTPS requests to your root domain and the www subdomain working correctly. That is, the HTTP requests get redirected by Cloudflare to HTTPS. And, HTTPS requests to the www subdomain get redirected to your root domain by your Wordpress system. The HTTPS request to your root domain works fine and shows your home page.

You will need to explain exactly the error shown by a failing browser. And, explain exactly what they were doing on your site to get that error. I know you explained various error messages but I don't see them and those errors would be very surprising to see for a Cloudflare proxied domain.

My guess is that it is not related to your cert at all. And, instead involves a "mixed content" violation or perhaps redirects to HTTP from an HTTPS connection. These are problems with your website itself - not the certs.

Mind you, that is a guess. Right now I only see properly working certs and HTTPS connections.

This is a good example of something needing further explanation.

What testing tool exactly and for what domain name and port?

It really isn't possible for the Cloudflare CDN to be using incorrect certs or chains. And, you can't possibly be viewing the certs Cloudflare uses on your own disk. I mean, it is possible to use custom certs with Cloudflare but if you paid to do that you'd know. And, the certs Cloudflare is using for your domain were issued by Google Trust Services (one of Cloudflare's cert providers) and not Let's Encrypt.

Please check what exactly? That site is also proxied at Cloudflare and has a valid cert just as I described earlier. That is, the Cloudflare edge is using a cert from Google Trust Services.

All my comments about the "edge" and your origin still apply. Please provide the details requested