SSL certificate expired - Not able to renew

I have the subdomain, and I have taken the letsencrypt ssl for Https. It worked fine from last 90 days and then it will expired.

On my firewall I have only whitelisted the specific IP by which that domain will be accessible.

I know the reason for not auto-renew the certificate because it is not open for all IP.

Though I have tried to renew by first using the All TCP connection to open for all and then run the command for renewal.

sudo certbot renew --dry-run


Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/ (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

After that I checked and open the Site through Https but there is still getting the expired ssl warning.

I have reduced the TTL time to 300 on route 53 (AWS)

Can anyone give me the pointers by which I will use https like earlier.

Thanks in advance for the interaction and support.

1 Like

Why are you running this command? You know it doesn't actually renew the cert, right? That's what the --dry-run means--test everything out, but don't actually renew the cert. If you want to renew the cert, leave that part off.

1 Like

Thanks for the response.
Can you share the command by which I can renew the certificate.

@danb35 has already told you what you exactly need to do. There's no need to actually give away the literal command.

This also sounds like you don't fully grasp the commands you're entering on your command line, which I find staggering. You should ALWAYS know what any command and ALL the options for that command actually do. I highly recommend you to read the official certbot documentation to grasp all the options you're using, now and in the future.


I'd probably not go that far (though I certainly won't argue that it's a bad idea), but you should certainly know what the options you're specifying do. Presumably OP was following some instruction that said to use --dry-run. The odds approach unity that whatever that instruction was, described what --dry-run does.

1 Like

I know some users a multi-lingual, but for less fluent english speakers I'm sure the phrase dry-run probably needs some explaining unless you look up the docs, so yes it's a good idea to read the docs page but also the command itself will provide some help: certbot/cli-help.txt at master · certbot/certbot · GitHub

1 Like

Welcome to the Let's Encrypt Community, Ankit :slightly_smiling_face:

@danb35 @Osiris

I feel like there's a certain... :thinking: comedic misunderstanding... going on here as I believe you both actually mean the same thing. I don't think that @Osiris was meaning that @ankit101 should literally digest the entire array of certbot options in the manual before proceeding. I believe he was meaning that one should know what any command and its options mean that one finds in a tutorial before executing that command with those options. Correct me if I'm wrong here, of course, @Osiris. I laughed a little at the "lost in translation" aspect when I saw @webprofusion post about such (in a different context) immediately afterward. :grin:

You're absolutely correct @griffin. With "command" I meant the actual full command entered on the command line. Not every possible option to the certbot command itself :stuck_out_tongue:

1 Like

The very thought of that makes me a little queasy. :nauseated_face: I consider myself to be fairly-well versed in "the certbot" and yet some of the more esoteric options still baffle me. :woozy_face:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.