Fix: Nginx + Certbot Let's Encrypt Renewal Failure
Certbot renews Let's Encrypt certificates via HTTP-01 challenge on port 80. Renewal fails when port 80 is blocked, Nginx is misconfigured, or the certbot timer has stopped.
Test renewal dry-run
sudo certbot renew --dry-run # Look for: "Congratulations, all renewals succeeded"
Check certbot timer status
systemctl status certbot.timer # Should show: active (waiting) # If inactive: sudo systemctl enable --now certbot.timer
Nginx config — allow ACME challenge through redirect
server {
listen 80;
server_name yourdomain.com;
# Must come before the HTTPS redirect:
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}Check your Nginx-served domains for cert expiry warnings.
Open Tool →