LetsEncrypt make SSL website hosting easier. And, it allows users to secure their websites free of cost.
But, websites need to follow LetsEncrypt SSL renew process every 90 days. Fortunately, there are ways to automate this task. However, SSL renewals often return with errors.
That’s why, our customers frequently contact us to fix LetsEncrypt SSL renew errors as part of our Technical Support Services.
Today, we’ll see the top errors with LetsEncrypt SSL certificate renewal and how our Dedicated Engineers fix them.
How automatic LetsEncrypt SSL renewal helps?
LetsEncrypt easily avoids the overhead of cost for securing websites. That’s why, it is a popular choice among customers. But, the downside is the renewal of certificate at the end of every 90 days. Things will be under control when you have only few websites. You can easily track and manage LetsEncrypt SSL renewals.
But, that’s not the case when you have hundreds of websites. Manual SSL certificate renewal becomes a tedious task. That’s why, our Dedicated Engineers always implement automatic LetsEncrypt SSL renewal in servers.
Ways to renew LetsEncrypt SSL
When coming to renewal of LetsEncrypt SSL, there are different ways to do this.
Fortunately, there are utilities like letsencrypt-auto, certbot-auto, etc. to take care of the renewal process. This will prevent your certificates from expiring. Additionally, it will not affect the working of live websites too.
For this, our Support Engineers use the task scheduler ‘cron‘ in Linux servers. Based on the requirement of the customer, we select the frequency of the cron job. As a result, it will non-interactively renew all of your certificates.
To set up the automatic renewal, we connect to the server as ‘root‘ user and edit the cron using the command.
Then, we add the respective task to the end of the crontab file.
For example, when the server uses the letsencrypt-auto utility, the crontab entry will be
0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew
Similarly, when using certbot utility, we set the entry as
0 2 * * 6 cd /etc/letsencrypt/ && ./certbot-auto renew && /etc/init.d/apache2 restart
Again, things are more easy for servers that have control panels. For example, in cPanel servers, there are plugins like “Let’s Encrypt™ for cPanel”. It takes care of all certificate renewal in the background. Here, it automatically attempts to renew certificate every day from the point when it has 30 to expire.
But, it requires some prerequisites for the renewal attempts, or the attempts will fail. And, sends an email about the status of the renewal to the email account attached to your cPanel account.
Depending on customer’s choice, we first install certbot or letsencrypt-auto utility on the server.
Reasons for LetsEncrypt SSL renew errors and fixes
Now, let’s see the top reasons for LetsEncrypt SSL cert renewal failures and how our Dedicated Engineers fix them.
1. Too many attempts for SSL certificate
Usually, Let’s Encrypt provide rate limits to ensure fair usage of the SSL renewals. After reaching this renewal request limit, while trying to install the certificate for the domain xxx.com, it ends up in the below error.
An unexpected error occurred: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Here, our Dedicated Engineers give a cool off time period for the renewal process. Also, we fix the domain configuration on the server. And, after few hours the cert renewal work successfully.
2. Missing updates of LetsEncrypt package
Similarly, failure of updating Letsencrypt package on time can also create problems with SSL renewals.
Recently, one of our customers reported problems with LetsEncrypt renewals in his cPanel server. He was getting a mail indicating the reason of failure as:
03:50:02 Analyzing “<domain>” … 03:50:02 ERROR TLS Status: Defective ERROR Defect: NO_SSL: No SSL certificate is installed.
In this case, the domain settings were all correct. And, the Letsencrypt logs showed no relevant entries. Still the renewals were failing. On a detailed check, we could see that the server was using outdated Letsencrypt rpm. Therefore, to fix the problem, our Support Engineers just had to run:
yum update cpanel-letsencrypt
And, after that SSL renewals started working again.
3. Cache problems
From our experience in managing LetsEncrypt SSL certificates, we often see problems due to browser cache too. In such cases, even after renewing SSL certificates, the SSL checker website will show “Failed” status for websites.
To fix, our Support Engineers always educate customers to check websites after clearing the browser cache.
[Need help in fixing LetsEncrypt SSL certificates? We are just a click away.]
In short, LetsEncrypt SSL renew errors happen due to reasons like missing package updates, too many attempts and so on. Today, we saw the top reasons for SSL renewal failures and how our Dedicated Engineers fix them.