Overview
SSL renewal failures are one of the most common support tickets we see. A certificate that renewed fine for two years suddenly stops working, your site throws a security warning, and you’re not sure where to start. The good news: most SSL renewal failed errors come down to a small set of fixable causes.
This article covers Let’s Encrypt auto-renewal failures specifically, but the diagnostic approach applies to any certificate type. Let’s Encrypt certificates expire every 90 days and rely on automated renewal — so when something in the environment changes (a new server config, a firewall rule, a DNS update), renewal silently fails until the certificate actually expires and visitors start seeing browser warnings.
If your certificate has already expired and you need it fixed immediately, jump to the step-by-step section. If you’re seeing a renewal failure in your logs or cPanel before expiry, the troubleshooting section at the bottom will be more relevant.
Prerequisites
- Access to cPanel, WHM, Plesk, or SSH on your server depending on your hosting type
- Your domain must be pointed to the server where you’re renewing (DNS A record must resolve correctly)
- Port 80 (HTTP) must be open and reachable from the internet — Let’s Encrypt’s HTTP-01 challenge requires it
- If you’re running Certbot manually, you’ll need root or sudo access via SSH
- Know whether you’re on shared hosting, a VPS, or a dedicated server — the fix path differs
Why SSL Auto-Renewal Fails
Before running commands, it’s worth understanding what actually happens during renewal. Let’s Encrypt uses a domain validation challenge to confirm you control the domain. The most common method (HTTP-01) works by placing a temporary file in /.well-known/acme-challenge/ on your web root and then making an external HTTP request to verify it’s accessible.
If anything blocks that request — a redirect, a firewall rule, a misconfigured .htaccess, Cloudflare proxy, or wrong document root — the challenge fails. The certificate doesn’t renew. You often won’t know until expiry.
That’s the non-obvious part beginners miss: the failure happens silently 30 days before expiry. By the time your site is showing a certificate warning, the renewal has actually been failing for weeks.
Step-by-Step: Fix SSL Renewal in cPanel (Shared and VPS)
Step 1: Check the Current Certificate Status
Log in to cPanel and navigate to Security > SSL/TLS Status. This shows all domains on the account and whether AutoSSL has run successfully. Look for any domain showing a red or yellow status, or an expiry date in the past.
If the certificate is already expired, you’ll see a warning banner at the top of cPanel as well.
Step 2: Run AutoSSL Manually
In cPanel, go to Security > SSL/TLS Status, then click Run AutoSSL at the top of the page. This forces an immediate renewal attempt rather than waiting for the next scheduled run.
Watch the log output. If it completes successfully, you’re done. If it fails, note the exact error message — you’ll need it for the troubleshooting section below.
📝 Note: If you’re a reseller or server admin in WHM, go to WHM > SSL/TLS > Manage AutoSSL to run it across all accounts.
Step 3: Verify the Domain is Resolving to This Server
This is the most commonly missed step. If your domain’s DNS was recently changed or is behind a proxy, the Let’s Encrypt challenge request may be hitting the wrong server.
Run this from your local terminal or SSH to check what IP the domain resolves to:
dig +short yourdomain.com ACompare the result against your server’s actual IP address. They must match. If you’re using Cloudflare, the proxy (orange cloud) will show Cloudflare’s IP instead of your server’s — which breaks HTTP-01 validation. Either temporarily disable the proxy or switch to DNS-01 challenge validation.
Step 4: Check That Port 80 Is Accessible
Let’s Encrypt needs to reach port 80 on your server from the public internet. Test it:
curl -I http://yourdomain.com/.well-known/acme-challenge/testYou should get a 404 response — that’s fine, it means the path is reachable. If you get a connection refused or timeout, port 80 is blocked. Check your firewall rules.
⚠ Warning: Some server configs redirect all HTTP to HTTPS before Let’s Encrypt can complete its check. If your .htaccess or Nginx config has a blanket HTTP-to-HTTPS redirect, you may need to add an exception for /.well-known/acme-challenge/.
For Apache, add this above your redirect rule in .htaccess:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]Step 5: Renew Manually via Certbot (VPS/Dedicated Servers)
If you’re managing certificates directly on a VPS or dedicated server using Certbot, run the dry-run test first so you don’t burn through rate limits:
sudo certbot renew --dry-runIf the dry run passes, do the actual renewal:
sudo certbot renewIf it fails, add --verbose to get detailed output:
sudo certbot renew --dry-run --verbose📝 Note: On Ubuntu 22.04 and later, Certbot is typically installed via snap. The binary is at /snap/bin/certbot. If certbot isn’t found, try the full path or check with which certbot.
Step 6: Check the Certbot Renewal Config
Each domain managed by Certbot has a renewal config file at /etc/letsencrypt/renewal/yourdomain.com.conf. Open it and verify the webroot_path or authenticator settings point to the correct document root for your domain.
cat /etc/letsencrypt/renewal/yourdomain.com.confIf the webroot_path points to an old or incorrect directory, Certbot will place the challenge file somewhere Let’s Encrypt can’t find it. Update the path to match your actual web root.
Common Issues and Troubleshooting
Error: “Domain control validation failed” or “Could not connect to http://yourdomain.com”
This means Let’s Encrypt couldn’t reach the challenge file on your server. Causes: port 80 is firewalled, the domain is behind a proxy (Cloudflare orange cloud), or the document root in the renewal config is wrong. Work through Steps 3 and 4 above. On Host & Tech VPS plans, check your firewall rules in WHM under Plugins > ConfigServer Security & Firewall and confirm port 80 is open.
Error: “Too many certificates already issued”
Let’s Encrypt enforces a rate limit of 5 duplicate certificates per domain per week. If you’ve been repeatedly trying to renew or reissue, you’ll hit this. There’s no workaround except waiting. The Let’s Encrypt rate limit resets on a rolling 7-day window. Use --dry-run during testing so you don’t consume real certificate slots.
AutoSSL Keeps Failing But No Error Is Shown
In WHM, go to SSL/TLS > Manage AutoSSL and click Logs to see the full renewal history. The log is much more informative than the cPanel SSL status page. Look for lines containing FAILED or error. In my experience, this is usually a DNS mismatch — the domain has a subdomain like www that resolves to a different server or isn’t included in the certificate’s SAN list.
Certificate Renewed But Browser Still Shows It as Expired
The certificate was renewed on the server but the old one is still being served. This happens when multiple certificate files exist and Apache or Nginx is pointing to the old path. Check your virtual host config to confirm it references the correct certificate file path. For Let’s Encrypt via Certbot, the live certificate is always at /etc/letsencrypt/live/yourdomain.com/fullchain.pem. After updating the config, restart the web server:
sudo systemctl restart apache2
# or for Nginx:
sudo systemctl restart nginxLet’s Encrypt Won’t Issue for a Subdomain or Wildcard
Wildcard certificates (*.yourdomain.com) require DNS-01 challenge validation — HTTP-01 won’t work for them. Certbot needs API access to your DNS provider to complete DNS-01. If your DNS is managed through Host & Tech, you can use Certbot’s manual DNS challenge or set up a DNS plugin. This is more advanced; if you’re on Shared Hosting, AutoSSL in cPanel handles wildcard issuance automatically without needing DNS API access.
Preventing Future Renewal Failures
A few things worth setting up so this doesn’t repeat:
- If you’re using Certbot on a VPS, confirm the renewal cron job or systemd timer is active:
sudo systemctl status certbot.timer - Set up expiry monitoring — most certificate monitoring tools (like SSL Labs or UptimeRobot) can alert you 14-30 days before a cert expires
- Don’t change your document root or web server config without checking whether your renewal config references the old path
- If you’re putting a domain behind Cloudflare, do it after the certificate is issued and working, not before
Frequently Asked Questions
Why did my Let's Encrypt certificate stop renewing automatically?
Auto-renewal usually breaks when something in your environment changes — a new firewall rule blocking port 80, a DNS change, Cloudflare proxy being enabled, or a redirect in .htaccess that intercepts the validation request. Let’s Encrypt’s HTTP-01 challenge needs to reach a temporary file on your server over plain HTTP. If anything blocks that, renewal fails silently until the certificate expires.
How do I force SSL renewal in cPanel?
Go to cPanel > Security > SSL/TLS Status and click Run AutoSSL at the top of the page. This triggers an immediate renewal attempt. If it fails, check the on-screen log for a specific error — the most common causes are DNS not pointing to your server or port 80 being blocked.
Can I renew an SSL certificate manually using Certbot?
Yes. Run sudo certbot renew –dry-run first to test without actually issuing a certificate. If the dry run passes, run sudo certbot renew to complete the renewal. If your server is managed through WHM or cPanel, use AutoSSL instead — manually issuing a Certbot certificate alongside AutoSSL can create certificate conflicts.
My SSL certificate renewed but the site still shows a security warning — why?
The new certificate was issued but your web server is still serving the old expired one. This usually means the virtual host config points to a hardcoded certificate file path rather than the symlinked path Certbot manages. Check that your Apache or Nginx config references /etc/letsencrypt/live/yourdomain.com/fullchain.pem, then restart the web server.
How often does Let's Encrypt renew certificates?
Let’s Encrypt certificates are valid for 90 days. Certbot is configured to attempt renewal when the certificate is within 30 days of expiry, so under normal circumstances you’ll never see expiry. The short validity period is intentional — it limits exposure if a certificate is compromised and forces automation rather than manual management.