Unsuccessful Backend SSL certificate Renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: backend.agentxsecurity.com

I ran this command: sudo certbot renew

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): don't know

My hosting provider, if applicable, is: DigitalOcean.com

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): don't know

Welcome to the community @agentx

what happens when you run

sudo certbot renew --dry-run

Have not tried that command before, am just learning programming online. Thanks for your fast response

1 Like

Hi @agentx, did you mean to say that there was no output from the command at all?


Yes there was. It says no attempt to renew

Please post the entire output. We don't have crystal balls I'm afraid.


I run the command: certbot certonly --force-renew -d backend.agentxsecurity.com and was asked to key in the webroot and I put agentxsecurity.com

Why are you using this option?


That doesn't look like a webroot path.


Please what's the way forward, not too proficient, just learning

What does this show? Please post the output in a response

certbot certificates

I see you got certs for this domain in the past. But, the most recent expired more than a month ago. This command will tell us what your system knows about these older certs.


Please read https://eff-certbot.readthedocs.io/en/stable/using.html#re-creating-and-updating-existing-certificates


May I suggest reading the documentation for Certbot, so you can learn what the options actually entail?


@agentx You can see in the Certbot documentation that there are different plugins for Certbot which use different methods to satisfy the certificate authority's challenge. Each of --nginx, --standalone, and --webroot (or equivalently choosing an option from the authentication plugin selection menu) uses a very different approach to do this.

Each one could be appropriate in a different situation, depending on how your web server is set up.


This suggests that the automated renewals are already working (using whatever option was used when you first obtained the certificate), or else not yet due. Unless you've changed something since then that you expect might cause the renewals to fail, it's still possible that they're working correctly. certbot renew without --force-renewal only attempts to renew certificates that are "due" based on having under 30 days of remaining validity, which is in accordance with Let's Encrypt's recommendations.


Here are links for Certbot plug-in


Thanks for all the information. I will retry again and post the feedback here

1 Like

And to be absolutely clear: there usually is absolutely no point in using --force-renewal. And it also does not magically make a failing challenge succeed, what is something some users think.


I tried the suggestion given by my hosting provider Digitalocean but it still failed as screenshot below. Any further help will be appreciated

The 404 error when using the --nginx option usually means something is wrong in your nginx config. Please upload the certbot log file. Make a copy of it to a .txt file and use the upload button in the post menu.

The log will show us the temp changes by Certbot and why they are not working


@agentx Please provide the requested information above.