How to Renew Let’s Encrypt SSL/TLS Certificate

If you use Nginx as your web server and your SSL/TLS certificate issued by Let’s Encrypt has expired or is soon going to be expired, then you have to come to the right place. This tutorial will show you how to renew your SSL/TLS certificate issued by Let’s Encrypt. If you don’t have a SSL/TLS certificate yet, please check out this post to easily get a free one.

Renew SSL/TLS Certificate

First ssh into your Linux server and stop Nginx

sudo service nginx stop     or      sudo systemctl stop nginx

Then issue the following command to renew your certificate.

cd /letsencrypt

./letsencrypt-auto renew --email your-email-address --agree-tos

Replace your-email-address with your real email address. –agree-tos means agree terms of service. The above command assumes that you installed letsencrypt client using git repo:

git clone

If you installed letsencrypt from software repository of your Linux distribution, then enter this command to renew your certificate.

letsencrypt renew --email your-email-address --agree-tos

If the renewal process is successful, you will see this message in the output:

Congratulations, all renewals succeeded.

Now start Nginx web server.

sudo service nginx start        or        sudo systemctl start nginx

If you still see “This website’s certificate is invalid or has expired” error message in the browser when viewing your website, then you may need to restart your computer.

DVSNI Challenge Failed

If you server is behind CDN, then you need to change your domain name’s A record. Point both your www domain and non-www domain to your origin server. After that, enter the renewal command mentioned above. Once the renewal process is successful, you can put your server behind CDN again.

If you don’t change A record and enter the above renewal command, you will see the following error message.

urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to host for DVSNI challenge. Skipping.

DVSNI is used by Let’s Encrypt to validate that you have control over the server. Let’s Encrypt’s server will check your domain’s A record and compare IP addresses. If your server’s IP matches the IP of your domain’s A record, then DVSNI challenge will be successful. Otherwise it will fail.

Rate this tutorial
[Total: 1 Average: 2]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community ( for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here