Let’s Encrypt renewal
Certificates are usually renewed automatically, but automation still needs validation.
A good routine is to check the timer, run a dry-run, and confirm that Nginx serves the current certificate after renewal.
Check certbot timer
sudo systemctl list-timers | grep certbot
Expected: there is a timer that runs renewal jobs.
You can also inspect the timer directly:
systemctl status certbot.timer --no-pager
Dry-run
sudo certbot renew --dry-run
A dry-run checks the renewal process without replacing the production certificate.
If dry-run fails, automatic renewal may fail too.
Check certificate dates
openssl x509 -in /etc/letsencrypt/live/getsrv.app/fullchain.pem -noout -dates
Watch notAfter.
Check that Nginx serves this certificate
echo | openssl s_client -connect getsrv.app:443 -servername getsrv.app 2>/dev/null \
| openssl x509 -noout -dates -subject -issuer
This is more important than checking the file on disk.
The file can be new while Nginx still serves an old certificate until reload.
Validate Nginx config
sudo nginx -t
If the test fails, do not reload.
Reload Nginx
sudo systemctl reload nginx
After reload, check the public certificate again:
echo | openssl s_client -connect getsrv.app:443 -servername getsrv.app 2>/dev/null \
| openssl x509 -noout -dates
Check HTTP after renewal
curl -kI https://getsrv.app/
curl -kI https://getsrv.app/sitemap-index.xml
curl -kI https://getsrv.app/no-such-page
Expected:
/ 200
/sitemap-index.xml 200
/no-such-page 404
Where renewal usually breaks
Challenge port is unavailable
If HTTP challenge is used, certbot must be able to validate through port 80.
Check the listener:
sudo ss -lntp | grep ':80'
Nginx did not reload
The certificate was renewed, but the server still returns the old one.
Check:
echo | openssl s_client -connect getsrv.app:443 -servername getsrv.app 2>/dev/null \
| openssl x509 -noout -dates
If the date is old, run:
sudo nginx -t
sudo systemctl reload nginx
Wrong certificate path
Check Nginx config:
sudo grep -RIn "ssl_certificate" /etc/nginx/sites-enabled /etc/nginx/conf.d
Paths should point to current files under /etc/letsencrypt/live/....
Certificate exists, but the name does not match
Check SAN:
openssl x509 -in /etc/letsencrypt/live/getsrv.app/fullchain.pem -noout -ext subjectAltName
If the expected name is missing from SAN, issue a certificate with the correct names.
Minimal monthly check
sudo certbot renew --dry-run
sudo nginx -t
openssl x509 -in /etc/letsencrypt/live/getsrv.app/fullchain.pem -noout -dates
echo | openssl s_client -connect getsrv.app:443 -servername getsrv.app 2>/dev/null \
| openssl x509 -noout -dates
curl -kI https://getsrv.app/
If all commands pass, the renewal path is healthy.