OSM Linux EngineersContact Us
MainHomeServicesPricingCase StudiesGuidesAboutContact
Service categoriesServer & OperationsWeb StackContainersDatabasesApplicationsCloud & IaCDevelopment & AutomationNetwork, DNS & CDNBackup, Monitoring & SecurityMigrationsFor AgenciesAll Services

Troubleshooting guide

SSL Certificate Not Renewing: Common Causes and Safe Checks

Troubleshoot SSL renewal failures involving Certbot, DNS challenges, HTTP challenges, NGINX, Cloudflare, firewalls and expired certificates.

Remote support availableCommercial systemsService: SSL/TLS Support
Contact UsSSL/TLS Support
SSLTLSCertbotLet’s EncryptNGINX

What this problem usually means

SSL renewal can fail when validation challenges cannot reach the server, DNS records are wrong, ports are blocked, NGINX config is invalid, or automation has been moved without updating paths.

Production caution: Avoid deleting certificate folders during an outage. It is usually safer to inspect renewal configuration, issue a replacement if needed, then update NGINX safely.

Common symptoms

  • Browser says certificate expired
  • Certbot renewal fails
  • Cloudflare shows origin certificate errors
  • HTTPS works on one hostname but not another
  • Renewal cron/timer no longer runs

Common causes

  • Port 80 blocked for HTTP validation
  • Cloudflare proxy or redirects interfere with challenges
  • DNS challenge credentials expired or missing
  • NGINX config test fails before reload
  • Wrong certificate path in virtual host config
  • Old domains remain in the renewal config

Safe first checks

These checks are intended to help identify the direction of the issue. Always adjust paths, service names and commands for your environment.

Check certificate dates

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates

Test renewal

certbot renew --dry-run

Check NGINX config

nginx -t

Check timers

systemctl list-timers | grep -i certbot

Typical fixes

  • Fix HTTP or DNS validation path
  • Remove stale domains from renewal configs
  • Correct certificate paths in web server config
  • Use DNS validation where HTTP validation is not practical
  • Test reloads before applying changes
  • Add monitoring for certificate expiry

When to get help

Get help if the system is production-facing, customer data is involved, backups are uncertain, or the issue affects revenue, security or uptime. We can review the logs, confirm the cause and quote a fixed-scope fix where appropriate.

Need this fixed?

Get remote support for this issue.

Fixed technical support starts from $499. Emergency incident support is $199/hr with a minimum window.

Contact Us

Related guides

DNS Changes Not PropagatingUnderstand DNS propagation, TTLs, nameservers, resolver cache, wrong zones and common causes of delayed or inc...Linux Server Disk FullFind why a Linux server disk is full, including logs, Docker volumes, databases, backups, deleted open files a...Ubuntu Server High LoadTroubleshoot high load on Ubuntu servers by checking CPU, disk I/O, memory, swap, processes, databases, PHP-FP...SSL/TLS SupportView the related service page for commercial support options.