Hi everyone, I’m running a small content-based website that focuses on restaurant guides and menu reviews (mainly about Texas Roadhouse). Everything has been working fine for the past few months, but now I’m facing an SSL-related issue that I can’t seem to fix. My Let’s Encrypt certificate recently expired, and even though I renewed it through my hosting control panel, the browser still shows the certificate as expired. I’ve tried several fixes, but the issue keeps coming back.
The first time I noticed the problem was when visitors started reporting that my site was showing a “Your connection is not private” warning. When I checked using SSL Labs, it showed that the certificate had expired three days ago. I ran the renewal command manually (certbot renew) and got a success message, but the live site still served the old, expired certificate. Restarting the web server (Apache) didn’t help either. It’s as if the server isn’t picking up the new certificate files.
I double-checked my configuration files, and everything points to the correct certificate paths in /etc/letsencrypt/live/mydomain.com/. The new .pem files were updated after the renewal, but when I inspect the certificate in the browser, it’s still the old one. I even tried forcing a reload with systemctl reload apache2 and later a full restart, but no luck. Could there be a permissions issue or a misconfiguration causing the server to load a cached version of the certificate?
Another odd thing is that automatic renewals don’t seem to work anymore. I’ve set up the recommended cron job for certbot renew --quiet, and it used to work perfectly before. However, checking the logs in /var/log/letsencrypt/letsencrypt.log now shows occasional “rate limit” and “temporary failure in name resolution” errors. My DNS configuration hasn’t changed recently, and the domain resolves fine otherwise. Could this be an issue with how my DNS provider handles ACME challenges?
I’m also using Cloudflare in front of my origin server, and I wonder if that might be interfering with the certificate validation or renewal process. Cloudflare’s SSL mode is currently set to “Full,” but I read somewhere that using “Full (Strict)” might cause conflicts with Let’s Encrypt renewal requests. Has anyone dealt with a similar situation where Cloudflare caching or SSL settings prevented the new certificate from showing up?
At this point, I’m not sure if I need to delete the old certificates and reissue new ones manually, or if there’s a better long-term fix. I’d appreciate any suggestions on how to ensure my Let’s Encrypt certificates renew correctly and are properly reloaded by the web server. I’d also love to know if there’s a reliable way to automate the process without Cloudflare or caching issues getting in the way. Thanks in advance for any advice I just want to get my restaurant website back to being fully secure for visitors again. Sorry for the long post
You shouldn't be seeing "cert expired" errors if your domain is proxied at Cloudflare. Their CDN uses their Universal SSL cert at their edge. The connection between a browser and their CDN uses that cert.
The cert you get on your Origin server is for the connection between their CDN and your server. Errors with that result in different error messages.
We'll need to know your actual domain name to help. The symptoms you describe are not consistent.
The "temp failure in name resolution" involves the DNS resolver on your Origin server not being able to resolve the Let's Encrypt API domain name. We see that sometimes with people using containers. Are you using any containers on your server?
There are many possible "rate limits". Without the exact message it is hard to say. Let us know this full error message.
Share your domain to get proper help diagnosing this problem
Don't keep renewing your cert without knowing the problem or you'll just hit the rate limits.
Your most likely not proxying via cloudflare because they would be managing the main cert for you. Expiry on your proxied origin would be a different error.
Common issues: wrong names on cert, lacking www on cert, balancing requests across multiple servers. Mixing http and http content in your site.
I had a longer reply written but deleted it, there's no point guessing without the domain and being able to reproduce the problem.
Cool, all looks good to me, so your problem has gone away, unless your user is clicking a specific link to get the error, or accessing it from an old bookmark that used some other domain?
When I surf to https://thetexasroadhousemenu.com/ there are no cert errors. The cert in use was issued on 2025-10-09 20:36:20 GMT. It was not issued by Let’s Encrypt though, it was issued by Google Trust Services.
If I look at this domain in crt.sh I see that another cert was issued on by Let’s Encrypt on 2025-10-13 15:08:12 GMT: crt.sh | 21694829380
However, I’m not sure you really need Let’s Encrypt here.
It looks to me as if your site is proxied behind Cloudflare. In another thread I saw that @griffin recommended Cloudflare origin CA.
I think that suggestion might be relevant for your case as well. If you go that route, you can then uninstall certbot.
It makes MUCH more sense to use Cloudflare's Origin CA certs as long as all the traffic to that server via the addresses proxied by Cloudflare comes through Cloudflare. In essence, as long as there are no legitimate "backdoor" requests being made to the origin server, Origin CA certs are advisable. At one of my former employers, we would send a recognizable secret token out of Cloudflare to the origin server to prevent such "backdoor" access.
For the "backdoor requests" scenario, one may enable Authenticated Origin Pulls feature, which will allow authenticating that request truly comes from Cloudflare Edge. It's also possible to further lock down to ensure the traffic comes from specific zone or even hostname defined in Cloudflare dashboard. This is a form of mTLS (effectively a client certificate).
