OSM Linux EngineersContact us
MainHomeServicesPricingCase StudiesGuidesAboutContact us
Service categoriesServer & OperationsWeb StackContainersDatabasesCloud & IaCDevelopment & Automation WorkflowsNetwork, DNS & CDNBackup & ObservabilityMigration Planning ProjectsFor AgenciesAll Services

Troubleshooting guide

Troubleshooting Guide: SSL Certificate Not Renewing

Use this guide to work through the most likely causes, gather useful evidence and make production-safe changes without turning a small problem into a larger outage.

Remote consulting availableCommercial platformsService: SSL/TLS Configuration Consulting
Discuss your projectSSL/TLS Configuration Consulting
SSLTLSCertbotLet’s EncryptNGINX

What this problem usually means

SSL renewal can fail when validation challenges cannot reach the server, DNS records are wrong, ports are blocked, NGINX config is invalid, or automation workflows has been moved without updating paths.

Production caution: Avoid deleting certificate folders during an outage. It is usually safer to inspect renewal configuration, issue a replacement if needed, then update NGINX safely.

Common symptoms

  • Browser says certificate expired
  • Certbot renewal fails
  • Cloudflare shows origin certificate errors
  • HTTPS works on one hostname but not another
  • Renewal cron/timer no longer runs

Common causes

  • Port 80 blocked for HTTP validation
  • Cloudflare proxy or redirects interfere with challenges
  • DNS challenge credentials expired or missing
  • NGINX config test fails before reload
  • Wrong certificate path in virtual host config
  • Old domains remain in the renewal config

Safe first checks

These checks are intended to assist identify the direction of the issue. Always adjust paths, solution names and commands for your environment.

Check certificate dates

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates

Test renewal

certbot renew --dry-run

Check NGINX config

nginx -t

Check timers

systemctl list-timers | grep -i certbot

Typical fixes

  • Fix HTTP or DNS validation path
  • Remove stale domains from renewal configs
  • Correct certificate paths in web server config
  • Use DNS validation where HTTP validation is not hands-on
  • Test reloads before applying changes
  • Add observability for certificate expiry

When to get assist

Get assist if the system is production-facing, customer data is involved, backup processes are uncertain, or the issue affects revenue, security hardening or uptime. We can review the logs, confirm the cause and quote a fixed-scope fix where appropriate.

Need this fixed?

Get remote engineering help for this issue.

Fixed engineering help starts from $499. Emergency incident engineering assistance is $199/hr with a minimum window.

Contact us

Related guides

DNS Changes Not PropagatingUnderstand DNS propagation, TTLs, nameservers, resolver cache, wrong zones and common causes of delayed or inc...Linux Server Disk FullFind why a Linux server disk is full, including logs, Docker volumes, databases, backup processes, deleted open files a...Ubuntu Server High LoadTroubleshoot high load on Ubuntu server estates by checking CPU, disk I/O, memory, swap, processes, databases, PHP-FP...SSL/TLS Configuration ConsultingView the related solution page for commercial consulting options.