I doubt the pip version is auto-renewing unless you specifically added something to run the pip version. When you installed the Debian apt it probably setup a systemd timer which runs, essentially, sudo certbot renew. It might have setup a cronjob instead I forget off-hand which Debian does.
And, we know that fails from prior tests in this thread. Perhaps something setup a cron job that runs the pip version. That would work but you would have had to do that explicitly. You can check what is happening with the instructions in the auto-renew section of the Certbot docs: User Guide β Certbot 5.5.0.dev0 documentation
If you complete the pip install per the Certbot instructions I linked earlier that would replace the apt version with your pip version. Then the existing auto-renew could work.
You should make sure this command works: sudo certbot renew --dry-run
You don't have to wait until 30 days before expiry
Once you have that working the reconfigure instructions I provided earlier would also run that script you think you need.
Frankly, you have lots of unnecessary "parts". You have been layering fixes upon fixes when much simpler solutions exist. That usually leads to a brittle and difficult to debug setup. I was trying to get you to something simple and stable but you don't have to follow my advice.
From what you have shown I don't see that Jellyfin needs the certs at all. You are proxying to it from nginx using HTTP, not HTTPS. HTTP connections do not use a cert.
nginx needs the certs and if you just referred to the Certbot cert files directly you wouldn't need to copy them.
Try changing this nginx config file /etc/nginx/sites-enabled/jellyfin.conf:
I would prefer to follow your advice but I really need someone to hold my hand doing this but I am conscious that I am taking up too much of your time so was just trying to find a quick way of getting this working.
As I understand it with the certificate renewal the free certificate lasts for 3 months but cannot be renewed until 30 days prior to its expiry, so I wouldnβt know if the script has run automatically and successfully renewed until 30 days before expiry.
I have just checked the Jellyfin GUI and in the https section it needs to be able to browse to the path of fullchain.pem but it cannot see the path /etc/letsencrypt/live/cjf.casacam.net/ (would this be because it runs in a docker?) so this was the reason i was advised by AI to setup up the script to copy the ss certificates to a directory that Jellyfin can see.
As I've noted, a sudo certbot renew --dry-run
tests the renewal process without affecting your production certs
You can run it as often as needed while testing your changes. In fact, this is encouraged rather than using the production system to test.
If that fails your standard auto-renew will not work.
You should make the changes to nginx that I just described anyway. That was something I was eventually going to have you do. There was just more important stuff to sort out first.
If you can't resolve the HTTP port 80 stuff your next best option is to complete the pip install using Certbot's official instructions. Between that and the above nginx change you may have (fingers crossed) a working system. It is still a more complex setup that will need extra attention over time but that may be the best you can do for now.
I am not a Jellyfin expert but that screen says it will perform HTTP to HTTPS redirection only if Jellyfin is listening on HTTPS.
But, it doesn't appear to be since you have nginx acting as a reverse proxy in front of Jellyfin. nginx is a more versatile "front end" option than connecting directly to Jellyfin so I have no problem with that
That confirms my suspicion that if you change the nginx config lines for the two cert related files like I showed I don't think you will need that "copy cert" script at all.
What text file editor have you been using so far? Like how did you make the script file that does those copy cert related commands? You use any text editor you like. This is a pretty fundamental need when administering a server.
And, taking a backup is as simple as copying the file somewhere outside the /etc/nginx file structure. Again, maybe make a directory under your home directory and place a copy there.
Or, since this is just two lines that are posted in this thread your "backup" could be the "before" lines I showed Or, make good notes or something. How you manage backups of your own services is something you'll need to work out.
I have used SUDO NANO to change `/etc/nginx/sites-enabled/jellyfin.conf
I have made the amendments you suggested but when I run
sudo systemctl reload nginx
I get the error:
Job for nginx.service failed.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
I have also noticed that the default and jellyfin.conf files have an arrow in the top left of the icon which I guess would indicate they are shortcuts, also a jellyfin.conf.save file has now appeared in that directory
I ran the commands suggested in the error and here is the output
chris@CWPi5:~ $ systemctl status nginx.service
β nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: en>
Active: active (running) since Tue 2026-03-17 14:17:15 GMT; 4 days ago
Invocation: 644df30788094e7d9ad7244c64c3e7bd
Docs: man:nginx(8)
Process: 1142 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_proce>
Process: 1155 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (c>
Process: 286384 ExecReload=/usr/sbin/nginx -g daemon on; master_process on;>
Main PID: 1157 (nginx)
Tasks: 5 (limit: 19362)
CPU: 17.344s
CGroup: /system.slice/nginx.service
ββ1157 "nginx: master process /usr/sbin/nginx -g daemon on; master>
ββ1158 "nginx: worker process"
ββ1159 "nginx: worker process"
ββ1160 "nginx: worker process"
ββ1161 "nginx: worker process"
Mar 17 14:17:15 CWPi5 systemd[1]: Starting nginx.service - A high performance w>
Mar 17 14:17:15 CWPi5 systemd[1]: Started nginx.service - A high performance we>
Mar 21 21:59:25 CWPi5 systemd[1]: Reloading nginx.service - A high performance >
Mar 21 21:59:25 CWPi5 nginx[286384]: 2026/03/21 21:59:25 [emerg] 286384#286384:>
Mar 21 21:59:25 CWPi5 systemd[1]: nginx.service: Control process exited, code=e
chris@CWPi5:~ $ journalctl -xeu nginx.service
ββ Defined-By: systemd
ββ Support: Debian -- User Support
ββ
ββ A reload job for unit nginx.service has begun execution.
ββ
ββ The job identifier is 9094.
Mar 21 21:59:25 CWPi5 nginx[286384]: 2026/03/21 21:59:25 [emerg] 286384#286384: cannot load certifi>
Mar 21 21:59:25 CWPi5 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAIL>
ββ Subject: Unit process exited
ββ Defined-By: systemd
ββ Support: Debian -- User Support
ββ
ββ An ExecReload= process belonging to unit nginx.service has exited.
ββ
ββ The process' exit code is 'exited' and its exit status is 1.
Mar 21 21:59:25 CWPi5 systemd[1]: Reload failed for nginx.service - A high performance web server a>
ββ Subject: A reload job for unit nginx.service has finished
ββ Defined-By: systemd
ββ Support: Debian -- User Support
ββ
ββ A reload job for unit nginx.service has finished.
ββ
ββ The job identifier is 9094 and the job result is failed.
lines 19-41/41 (END)
}
server {
listen 80;
server_name cjf.casacam.net;
return 301 https://$host$request_uri;
chris@CWPi5:~ $ sudo systemctl status --no-pager -l nginx
β nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running) since Tue 2026-03-17 14:17:15 GMT; 4 days ago
Invocation: 644df30788094e7d9ad7244c64c3e7bd
Docs: man:nginx(8)
Process: 1142 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 1155 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 286384 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=1/FAILURE)
Main PID: 1157 (nginx)
Tasks: 5 (limit: 19362)
CPU: 17.346s
CGroup: /system.slice/nginx.service
ββ1157 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
ββ1158 "nginx: worker process"
ββ1159 "nginx: worker process"
ββ1160 "nginx: worker process"
ββ1161 "nginx: worker process"
Mar 17 14:17:15 CWPi5 systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Mar 17 14:17:15 CWPi5 systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.
Mar 21 21:59:25 CWPi5 systemd[1]: Reloading nginx.service - A high performance web server and a reverse proxy server...
Mar 21 21:59:25 CWPi5 nginx[286384]: 2026/03/21 21:59:25 [emerg] 286384#286384: cannot load certificate "/etc/letsencrypt/live/cjf.casacam.net/privkey.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
Mar 21 21:59:25 CWPi5 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mar 21 21:59:25 CWPi5 systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.
chris@CWPi5:~ $ sudo systemctl reload nginx
Job for nginx.service failed.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
Here is the updated file incase I have done something wrong:
server {
listen 443 ssl;
server_name cjf.casacam.net;
Also I have run ```
sudo systemctl status --no-pager -l nginx and here is the output incase you need it
chris@CWPi5:~ $ sudo systemctl status --no-pager -l nginx
β nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running) since Tue 2026-03-17 14:17:15 GMT; 4 days ago
Invocation: 644df30788094e7d9ad7244c64c3e7bd
Docs: man:nginx(8)
Process: 1142 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 1155 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 288862 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=1/FAILURE)
Main PID: 1157 (nginx)
Tasks: 5 (limit: 19362)
CPU: 17.570s
CGroup: /system.slice/nginx.service
ββ1157 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
ββ1158 "nginx: worker process"
ββ1159 "nginx: worker process"
ββ1160 "nginx: worker process"
ββ1161 "nginx: worker process"
Mar 21 21:59:25 CWPi5 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mar 21 21:59:25 CWPi5 systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.
Mar 21 22:18:39 CWPi5 systemd[1]: Reloading nginx.service - A high performance web server and a reverse proxy server...
Mar 21 22:18:39 CWPi5 nginx[287478]: 2026/03/21 22:18:39 [emerg] 287478#287478: cannot load certificate "/etc/letsencrypt/live/cjf.casacam.net/privkey.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
Mar 21 22:18:39 CWPi5 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mar 21 22:18:39 CWPi5 systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.
Mar 21 22:46:54 CWPi5 systemd[1]: Reloading nginx.service - A high performance web server and a reverse proxy server...
Mar 21 22:46:54 CWPi5 nginx[288862]: 2026/03/21 22:46:54 [emerg] 288862#288862: cannot load certificate "/etc/letsencrypt/live/cjf.casacam.net/privkey.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
Mar 21 22:46:54 CWPi5 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mar 21 22:46:54 CWPi5 systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.
chris@CWPi5:~ $ sudo nginx -t
2026/03/21 23:13:53 [emerg] 290324#290324: cannot load certificate "/etc/letsencrypt/live/cjf.casacam.net/privkey.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed
chris@CWPi5:~ $ sudo systemctl reload nginx
Job for nginx.service failed.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
chris@CWPi5:~ $ sudo systemctl status --no-pager -l nginx
β nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running) since Tue 2026-03-17 14:17:15 GMT; 4 days ago
Invocation: 644df30788094e7d9ad7244c64c3e7bd
Docs: man:nginx(8)
Process: 1142 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 1155 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 290477 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=1/FAILURE)
Main PID: 1157 (nginx)
Tasks: 5 (limit: 19362)
CPU: 18.074s
CGroup: /system.slice/nginx.service
ββ1157 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
ββ1158 "nginx: worker process"
ββ1159 "nginx: worker process"
ββ1160 "nginx: worker process"
ββ1161 "nginx: worker process"
Mar 21 23:04:30 CWPi5 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mar 21 23:04:30 CWPi5 systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.
Mar 21 23:11:46 CWPi5 systemd[1]: Reloading nginx.service - A high performance web server and a reverse proxy server...
Mar 21 23:11:46 CWPi5 nginx[290206]: 2026/03/21 23:11:46 [emerg] 290206#290206: cannot load certificate "/etc/letsencrypt/live/cjf.casacam.net/privkey.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
Mar 21 23:11:46 CWPi5 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mar 21 23:11:46 CWPi5 systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.
Mar 21 23:16:11 CWPi5 systemd[1]: Reloading nginx.service - A high performance web server and a reverse proxy server...
Mar 21 23:16:11 CWPi5 nginx[290477]: 2026/03/21 23:16:11 [emerg] 290477#290477: cannot load certificate "/etc/letsencrypt/live/cjf.casacam.net/privkey.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
Mar 21 23:16:11 CWPi5 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mar 21 23:16:11 CWPi5 systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.
Huh. Usually the nginx master process (the one that reads the cert files) runs as root which it needs to do to manage trusted ports anyway. This looks like for some reason it is not. Unless those files have been damaged but that seems less likely.
I guess you are back to using that copy of those files.
So, change nginx back to use your original likes of the copied cert files.
Then finish the install of the Certbot pip per its instructions. That will replace the Debian apt copy of Certbot and make your pip install the default Certbot.
After that the sudo certbot renew --dry-run
should work
Once it does return the example command for sudo certbot reconfigure ... to add the deploy-hook for your copy script.
Alternatively, setup a daily cron to run your copy script from your new location under your home directory. It's not the worst option.
Well, frankly, now I am a bit confused as to what actually works on your system.
I looked at your AI suggestions further and see it updating the Certbot systemd service to use the pip version. Maybe that does allow the pip to run for auto-renew via the default Certbot systemd timer.
And, that would explain why standard Certbot commands run successfully but do not produce the expected result. (because the AI had you modify Certbot's default config).
So, given the odd nginx setup and equally unusual Certbot setup I am going to stop giving advice to you.
Back to your original question ... to automate just the copy-cert script, yes, just create a daily cronjob to run the script from your new directory under your home directory. Running cron jobs is a pretty routine part of admin for a server so I'll leave you to sort out the best way for your config. I have no idea why the custom pip config did not find the script in your original location.
Sorry for causing so much consternation. I still think this is an unnecessarily complex setup with much simpler solutions. It is just not practical for me to sort through that on this forum (and I don't offer private assistance )
I hope it all holds together for you. If you ever come back here for help in future months be sure to refer them back to this thread. There is distinctly, um, unique config with material impact.
