DevTools
Quick Reference
Portfolio

Let's Encrypt - Troubleshooting

Cheatsheet Certificate

Common Let's Encrypt and Certbot errors with solutions and debugging steps

Troubleshoot - Port 80 in Use

Fix “Port 80 in use” error during certificate issuance.

Find process using port 80:

sudo lsof -i :80

Stop service temporarily:

sudo systemctl stop nginx
sudo certbot certonly --standalone -d example.com
sudo systemctl start nginx

Troubleshoot - Use DNS Challenge

Alternative method when port 80 is unavailable.

sudo certbot certonly --manual --preferred-challenges dns -d example.com

Steps:

  1. Certbot will provide a TXT record
  2. Add TXT record to your DNS
  3. Wait for DNS propagation (1-5 minutes)
  4. Press Enter to continue

Troubleshoot - NGINX Plugin Missing

Fix “nginx plugin not installed” error.

sudo apt install python3-certbot-nginx

Verify installation:

certbot plugins

Expected output includes nginx plugin.

Troubleshoot - Cloudflare Error 525

Fix SSL handshake error between Cloudflare and origin.

Solutions:

  1. Set Cloudflare SSL mode to Full (not Full Strict)
  2. Temporarily disable “Always Use HTTPS”
  3. Verify certificate is installed correctly
  4. Check web server is listening on port 443

Check if server is listening on 443:

sudo netstat -tlnp | grep :443

Troubleshoot - Auto-Renew Failing

Debug automatic renewal failures.

Check renewal logs:

sudo cat /var/log/letsencrypt/letsencrypt.log

Test renewal process:

sudo certbot renew --dry-run

Troubleshoot - Common Renewal Issues

Common problems preventing auto-renewal.

Checklist:

  • Webroot path changed (check /etc/letsencrypt/renewal/*.conf)
  • Firewall blocking port 80/443
  • DNS records changed or misconfigured
  • Server not reachable from internet
  • Web server stopped or crashed

Check firewall:

# Ubuntu/Debian
sudo ufw status

# RHEL/CentOS
sudo firewall-cmd --list-all

Troubleshoot - Permission Denied

Fix permission errors when running Certbot.

# Run with sudo
sudo certbot renew

# Check log file permissions
ls -la /var/log/letsencrypt/

# Fix ownership if needed
sudo chown -R root:root /etc/letsencrypt/

Troubleshoot - DNS Propagation

Check if DNS changes have propagated.

# Check DNS from multiple locations
dig example.com
dig example.com @8.8.8.8
dig example.com @1.1.1.1

# Check TXT records for DNS challenge
dig _acme-challenge.example.com TXT

Troubleshoot - Rate Limit Exceeded

Handle Let’s Encrypt rate limit errors.

Rate limits:

  • 50 certificates per registered domain per week
  • 5 duplicate certificates per week
  • 300 new orders per account per 3 hours

Solutions:

  • Wait for rate limit reset (weekly)
  • Use staging environment for testing
  • Check existing certificates: sudo certbot certificates

Use staging for testing:

sudo certbot --staging --nginx -d example.com

Troubleshoot - Certificate Not Trusted

Fix “Certificate not trusted” browser errors.

Check certificate chain:

sudo openssl s_client -connect example.com:443 -servername example.com < /dev/null

Verify using fullchain.pem:

# Correct - includes intermediate certificates
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

# Wrong - missing chain
ssl_certificate /etc/letsencrypt/live/example.com/cert.pem;

Troubleshoot - Connection Timeout

Fix timeout errors during validation.

Check server is reachable:

# Test from external server
curl -I http://example.com

# Check DNS resolution
nslookup example.com

# Check if port 80 is open
telnet example.com 80

Common causes:

  • Firewall blocking port 80
  • DNS pointing to wrong IP
  • Server offline or unreachable
  • Reverse proxy misconfigured

Troubleshoot - Webroot Path Invalid

Fix webroot validation errors.

Verify webroot path exists:

# Check directory exists
ls -la /var/www/html

# Create .well-known directory
sudo mkdir -p /var/www/html/.well-known/acme-challenge
sudo chown -R www-data:www-data /var/www/html/.well-known

Test webroot manually:

# Create test file
echo "test" | sudo tee /var/www/html/.well-known/acme-challenge/test.txt

# Access from browser
curl http://example.com/.well-known/acme-challenge/test.txt

Troubleshoot - Challenge Failed

Debug ACME challenge validation failures.

View detailed error:

sudo certbot renew --dry-run --debug

Check challenge type:

  • HTTP-01: Requires port 80 open, webroot accessible
  • DNS-01: Requires DNS TXT record
  • TLS-ALPN-01: Requires port 443 with ALPN support

Switch challenge type:

# Use DNS instead of HTTP
sudo certbot certonly --manual --preferred-challenges dns -d example.com

Troubleshoot - Revoked Certificate

Handle revoked certificate errors.

Delete revoked certificate:

sudo certbot delete --cert-name example.com

Issue new certificate:

sudo certbot --nginx -d example.com

Troubleshoot - Check Certbot Logs

View detailed logs for debugging.

# View main log
sudo tail -100 /var/log/letsencrypt/letsencrypt.log

# Follow log in real-time
sudo tail -f /var/log/letsencrypt/letsencrypt.log

# Search for errors
sudo grep -i error /var/log/letsencrypt/letsencrypt.log