Let's Encrypt Certificate Renewal
lets encrypt renewal · acme ssl renew · certbot auto renew check
How Let's Encrypt 90-day certificates renew, ACME HTTP-01 vs DNS-01, verifying renewal with an SSL checker, and fixing failed auto-renew jobs.
By DN01 Network Team
Let's Encrypt issues free DV certificates valid for 90 days, assuming operators automate renewal. Manual tracking fails quickly at scale — treat ACME success as a monitored job, not a calendar note.
After every renewal deploy, confirm the live public hostname with the SSL Certificate Checker and watch notAfter move forward by ~90 days.
ACME challenge types
HTTP-01: ACME client serves a token at `http://hostname/.well-known/acme-challenge/...` — requires port 80 reachable from the internet.
DNS-01: TXT record at `_acme-challenge.example.com` — works for wildcards and when HTTP is blocked; automate via DNS API when possible.
TLS-ALPN-01: less common, used on port 443 with specific ALPN negotiation.
When renewal fails
Check certbot or ingress controller logs for 403/timeout on challenge URL.
Confirm CAA records allow `letsencrypt.org` if CAA is published.
Rate limits: too many failed orders or duplicate certs per week — wait or use staging endpoint while debugging.
Re-run SSL Checker after fix — stale CDN edge certs may cache old expiry until purge.
Frequently asked questions
- How many days before expiry should I renew?
Automate at 30 days; alert at 14. LE recommends renewal when 1/3 lifetime remains (~30 days).
- Do wildcards need DNS-01?
Yes for standard ACME clients — wildcard issuance requires DNS-01 validation.
- Will renewal change my certificate fingerprint?
Usually yes — new cert, new serial. Pinning apps must update pins or avoid pinning public LE certs.