Hosting + Ai Website Builder + Free Domain (3 Month Free Credit)
Shop Today
YouStable blog banner

How to Fix Let’s Encrypt on Linux Server: Complete Troubleshooting Guide

Himanshu Joshi 6 min read

Let’s Encrypt is a free, automated, and open certificate authority (CA) that provides SSL/TLS certificates for websites to enable secure HTTPS connections. Administrators may need to fix Let’s Encrypt issues in Linux when problems occur during installation, renewal, or while using the certificates on a server. While Let’s Encrypt makes obtaining and renewing certificates easy, issues can still arise that require troubleshooting.

In this guide, we will walk you through common issues that can arise with Let’s Encrypt on Linux servers and provide solutions for fixing them. Whether you are facing installation errors, renewal problems, or configuration issues, we’ll cover the troubleshooting steps necessary to restore the proper functionality of your Let’s Encrypt certificates.

Preliminary Steps Before Fixing Let’s Encrypt

Let's Encrypt SSL on a Linux

Before diving into specific fixes, ensure that Let’s Encrypt is properly installed and configured on your server.

Check Certbot Installation

Certbot is the official Let’s Encrypt client, used to obtain and manage certificates. To check if Certbot is installed, run:

certbot --version

If Certbot is not installed, you can install it using the following commands, depending on your Linux distribution.

  • For Debian/Ubuntu-based systems:
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx  # For NGINX
# Or
sudo apt-get install certbot python3-certbot-apache  # For Apache
  • For RHEL/CentOS-based systems:
sudo yum install certbot python3-certbot-nginx   # For NGINX
# Or
sudo yum install certbot python3-certbot-apache  # For Apache

Check If NGINX or Apache is Installed and Running

If you’re using NGINX or Apache, make sure the server is running correctly before issuing the certificates. You can verify this with:

For NGINX:

sudo systemctl status nginx

For Apache:

sudo systemctl status apache2

If the server is not running, start it with:

For NGINX:

sudo systemctl start nginx

For Apache:

sudo systemctl start apache2

Identifying Common Let’s Encrypt Issues

Here are some of the most common problems you may encounter when using Let’s Encrypt, along with their potential causes:

  • Certbot Unable to Obtain or Renew Certificates

This problem typically occurs due to DNS issues, misconfigurations in the web server, or port-blocking issues on your server.

  • Certificate Renewal Fails

If you’ve successfully installed a certificate with Certbot but face issues with automatic renewal, the problem could be related to misconfigured cron jobs, expired certificates, or connectivity issues with Let’s Encrypt servers.

  • Web Server Configuration Issues

If the NGINX or Apache configuration is incorrect or the web server is not accessible from the outside, Certbot will not be able to verify the domain and issue the certificate.

  • Port 80/443 Not Open or Redirects Not Configured

For Let’s Encrypt to verify domain ownership, ports 80 (HTTP) and 443 (HTTPS) must be open and accessible to their servers. If these ports are blocked by a firewall, or if there is a misconfiguration in web server redirects, certificate issuance or renewal will fail.

  • Firewall or Security Group Blocking Port 80/443

Ensure that your firewall allows connections on ports 80 and 443 for both HTTP-01 and TLS-ALPN-01 challenges used by Certbot.

Fix Let’s Encrypt Issues on Linux: Step-by-Step Solutions

Let’s walk through solutions for the most common issues that can arise when using Let’s Encrypt on your Linux server.

Check Firewall Settings

If you’re unable to obtain or renew a certificate, the issue might be a firewall blocking ports 80 and 443, which are required for the ACME challenge and server verification.

Check for Active Firewall:

  • For firewalld (CentOS/RHEL):
sudo firewall-cmd --list-all
  • For UFW (Ubuntu/Debian):
sudo ufw status

Allow Ports 80 and 443:

  • For firewalld:
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent 
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent 
sudo firewall-cmd --reload
  • For UFW:
sudo ufw allow 80,443/tcp sudo ufw reload

Restart the firewall and try the Certbot process again.

Ensure NGINX/Apache is Configured Correctly

If you’re using NGINX or Apache, ensure the web server is correctly configured to serve HTTP traffic and that the server is reachable from the public internet.

  • Check Server Configuration:

For NGINX, check your virtual host configuration file to ensure that the server_name directive is set correctly:

server { listen 80; server_name yourdomain.com www.yourdomain.com; location / { # Your config here } }

For Apache, ensure the ServerName directive is set in the appropriate virtual host configuration:

<VirtualHost *:80> ServerName yourdomain.com # Other config here </VirtualHost>
  • Test Web Server:

After making any changes to the configuration, test the configuration file:

For NGINX:

sudo nginx -t

For Apache:

sudo apachectl configtest
  • Restart Web Server:

For NGINX:

sudo systemctl restart nginx

For Apache:

sudo systemctl restart apache2

Check DNS Configuration

Ensure that the domain you’re requesting the certificate for is pointing to the correct IP address. You can verify this by using nslookup or dig:

nslookup yourdomain.com

Make sure the result points to the correct IP of the server where you are running Certbot.

Manually Issue/Verify the Certificate

If you’re having trouble issuing a certificate via the standard process, you can attempt to manually request the certificate using Certbot with the --standalone flag. This method allows Certbot to use its built-in web server to serve the ACME challenge.

Run this command (replace yourdomain.com with your domain name):

sudo certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com

If successful, Certbot will create your certificate, which you can then configure with your web server.

Fix Let’s Encrypt Certificate Renewal Issues

If the certificate was successfully obtained but renewal is failing, it could be due to cron job issues, permissions, or configuration problems.

  • Check Certbot Cron Jobs:

Certbot is typically configured to automatically renew certificates via cron jobs or systemd timers. You can check if the cron job exists by running:

sudo crontab -l

If the cron job is missing, you can add it manually. The default Certbot cron job is usually as follows:

0 12 * * * certbot renew --quiet
  • Manually Renew Certificate:

To force a renewal of the certificate, run:

sudo certbot renew --force-renewal

This will renew all certificates that are due for renewal.

Check and Fix Permissions

If you are receiving permission errors while trying to obtain or renew a certificate, check the permissions of Certbot’s directories.

  • Ensure Correct Permissions for Web Root:

Ensure that Certbot can write to the necessary directories, including the web server’s root directory and the certificate storage directory.

sudo chown -R $USER:$USER /etc/letsencrypt/ sudo chmod -R 755 /etc/letsencrypt/
  • Check NGINX/Apache Permissions:

Ensure that the web server has proper permissions to serve the ACME challenge files. Check the ownership and permissions for your server’s web root directory.

Test SSL Certificate

Once the certificate is successfully obtained and installed, ensure that your website is accessible via HTTPS. You can test this by visiting https://yourdomain.com in a browser.

To check for SSL issues or verify the certificate:

openssl s_client -connect yourdomain.com:443

This will provide detailed information about the certificate chain and SSL configuration.

Reinstall Certbot

If you suspect that the Certbot installation is corrupted or outdated, you can reinstall Certbot.

For Debian/Ubuntu-based systems:

sudo apt-get remove certbot
sudo apt-get install certbot

For RHEL/CentOS-based systems:

sudo yum remove certbot
sudo yum install certbot

After reinstalling, try the certificate issuance process again.

Optimizing Let’s Encrypt for Linux Servers

Once Let’s Encrypt is working on your server, consider the following best practices for maintaining your certificates and ensuring continuous security:

Enable Automatic Certificate Renewal

Certbot typically sets up automatic certificate renewal, but if it’s not configured, you can set up a cron job or systemd timer to renew certificates automatically. Use the following cron job:

0 12 * * * certbot renew --quiet

This will check for certificates that need renewal and renew them daily at noon.

Monitor Certificate Expiry

Regularly check the expiry of your certificates to avoid service disruptions. Use this command to check the status of all installed certificates:

sudo certbot certificates

Use SSL/TLS Best Practices

Ensure that your web server is configured to use secure SSL/TLS settings. You can configure SSL/TLS settings in NGINX or Apache to use strong ciphers and disable weak ones. Additionally, enable HTTP/2 and use TLS 1.2 or higher.

Redirect HTTP to HTTPS

Ensure that HTTP traffic is automatically redirected to HTTPS. In NGINX, you can use the following configuration:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

In Apache:

<VirtualHost *:80>
    ServerName yourdomain.com
    Redirect permanent / https://yourdomain.com/
</VirtualHost>

Conclusion

Fixing Let’s Encrypt on a Linux server involves troubleshooting service issues, incorrect configurations, firewall settings, and permissions. By following the troubleshooting steps outlined in this guide, you can resolve most Let’s Encrypt-related issues and restore full functionality. Regularly monitor your certificates, set up automatic renewals, and ensure your web server configurations are optimized to maintain a secure HTTPS environment.

Himanshu Joshi

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top