If you use Nginx as your web server and your SSL/TLS certificate issued by Let’s Encrypt has expired or is soon going to be expired, then you have to come to the right place. This tutorial will show you how to renew your SSL/TLS certificate issued by Let’s Encrypt. If you don’t have a SSL/TLS certificate yet, please check out this post to easily get a free one.
Renew SSL/TLS Certificate
First ssh into your Linux server and stop Nginx
sudo service nginx stop or sudo systemctl stop nginx
Then issue the following command to renew your certificate.
cd /letsencrypt ./letsencrypt-auto renew --email your-email-address --agree-tos
Replace your-email-address with your real email address. –agree-tos means agree terms of service. The above command assumes that you installed letsencrypt client using git repo:
git clone https://github.com/letsencrypt/letsencrypt
If you installed letsencrypt from software repository of your Linux distribution, then enter this command to renew your certificate.
letsencrypt renew --email your-email-address --agree-tos
If the renewal process is successful, you will see this message in the output:
Congratulations, all renewals succeeded.
Now start Nginx web server.
sudo service nginx start or sudo systemctl start nginx
If you still see “This website’s certificate is invalid or has expired” error message in the browser when viewing your website, then you may need to restart your computer.
DVSNI Challenge Failed
If you server is behind CDN, then you need to change your domain name’s A record. Point both your www domain and non-www domain to your origin server. After that, enter the renewal command mentioned above. Once the renewal process is successful, you can put your server behind CDN again.
If you don’t change A record and enter the above renewal command, you will see the following error message.
urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to host for DVSNI challenge. Skipping.
DVSNI is used by Let’s Encrypt to validate that you have control over the server. Let’s Encrypt’s server will check your domain’s A record and compare IP addresses. If your server’s IP matches the IP of your domain’s A record, then DVSNI challenge will be successful. Otherwise it will fail.