ShortIQ

ShortIQ

LoginGet Started

DevOps

How to Renew a Let's Encrypt Certificate on Ubuntu

A practical guide to renewing Let’s Encrypt SSL certificates on Ubuntu, including Certbot commands, dry runs, automation checks, and common renewal problems.

April 28, 2026ShortIQ Editorial Team

Why Renewal Matters

Let’s Encrypt certificates are not issued forever. They expire on a short cycle, so renewal has to work reliably if you want your site to stay trusted in browsers. On Ubuntu, Certbot is the most common tool used to manage and renew those certificates.

Most setups are meant to renew automatically, but it is still important to know how to check the renewal process manually and how to troubleshoot it when something goes wrong.

The Basic Manual Renewal Command

If Certbot is already installed and managing your certificate, the basic renewal command is simple. It checks all installed certificates and renews only the ones that are close to expiry.

This command is safe to run manually even if the certificate is not due yet.

bash
sudo certbot renew

How to Test Renewal Safely

Before trusting the automation, run a dry test. A dry run simulates the renewal process without actually issuing a new certificate. This is the best way to confirm that Certbot, your challenge method, and your server configuration are all working as expected.

If the dry run succeeds, your renewal path is usually in good shape.

bash
sudo certbot renew --dry-run

How Automatic Renewal Usually Works

On modern Ubuntu systems, Certbot is often configured to renew automatically through a systemd timer. On some setups, a cron job may be used instead. The exact mechanism depends on how Certbot was installed and how the server was configured.

If you want to verify that automation exists, check the active timer or scheduled job instead of assuming renewal will happen by itself forever.

bash
systemctl list-timers | grep certbot

When You Need to Reload Nginx or Apache

In many common setups, Certbot can reload the web server automatically after successful renewal. But it is still worth checking that the new certificate is actually being used after renewal, especially if you rely on custom Nginx or Apache configuration.

If needed, you can reload the server manually after renewal.

bash
sudo systemctl reload nginx

Common Renewal Problems

The most common failures are DNS mismatches, broken webroot or challenge paths, ports 80 or 443 being blocked, or old server configuration that no longer matches the domain state. Renewal may also fail if the domain now points somewhere else or if the server block no longer serves the expected host correctly.

When renewal fails, Certbot’s output usually tells you whether it is a challenge validation issue, a permissions issue, or a configuration problem.

  • Domain DNS no longer points to the server
  • Port 80 blocked for HTTP challenge
  • Nginx or Apache config no longer matches the domain
  • Broken webroot path
  • Server reload problems after renewal

A Practical Renewal Checklist

If you manage production sites manually, it helps to treat certificate renewal like a lightweight maintenance check. Confirm the dry run, confirm the timer or cron setup, and confirm the site still serves the updated certificate after renewal.

This small discipline prevents avoidable downtime later.

  • Run `sudo certbot renew --dry-run`
  • Check that the automation timer exists
  • Confirm the domain still resolves correctly
  • Reload Nginx if needed
  • Verify the certificate is serving properly after renewal

Related Ubuntu and Nginx Guides

This article fits naturally with deployment and server-fix content. If you are setting up an Ubuntu production environment or troubleshooting server issues, the related guides below help tie the stack together.

  • Related article: /blog/how-to-deploy-nextjs-project-on-ubuntu-24
  • Related article: /blog/how-to-set-up-pm2-with-nginx-on-ubuntu
  • Related article: /blog/how-to-fix-502-bad-gateway-in-nodejs-and-nginx
  • Related article: /blog/how-to-deploy-mern-app-with-ssl
  • Blog hub: /blog

FAQ

How do I renew a Let’s Encrypt certificate on Ubuntu?

The standard command is `sudo certbot renew`, which checks all managed certificates and renews the ones close to expiry.

How can I test certificate renewal without changing anything?

Use `sudo certbot renew --dry-run` to simulate the process and verify that your setup is working.

Does Certbot renew certificates automatically?

Usually yes, often through a systemd timer or cron job, but you should verify that the automation is active on your server.

Do I need to restart Nginx after renewal?

Sometimes a reload is needed so the web server starts using the renewed certificate, depending on how your setup is configured.

Why does Let’s Encrypt renewal fail?

Common causes include DNS issues, blocked ports, incorrect challenge paths, or broken Nginx or Apache configuration.

Related free tools

If you want to turn this topic into action, use one of ShortIQ's free tools for campaign planning, UTM structure, or QR distribution.

Continue Reading

Explore more guides on link shortener SaaS strategy, Bitly alternatives, and white label link management.

Was this article helpful?

Tell us if this guide solved the problem or what was still missing. We use this to improve the blog and only follow up if you explicitly allow it.

We use this to improve tutorials, examples, and technical depth.