How many days before expiry should I renew?

Automate at 30 days; alert at 14. LE recommends renewal when 1/3 lifetime remains (~30 days).

Do wildcards need DNS-01?

Yes for standard ACME clients — wildcard issuance requires DNS-01 validation.

Will renewal change my certificate fingerprint?

Usually yes — new cert, new serial. Pinning apps must update pins or avoid pinning public LE certs.

Can I test renewal without hitting production limits?

Use Let's Encrypt staging CA in certbot or cert-manager during setup — staging certs are not trusted by browsers but validate automation.

Does renewal change DNS records?

HTTP-01 does not; DNS-01 adds temporary TXT records during validation — automate cleanup after success.

Guides

Let's Encrypt Certificate Renewal

lets encrypt renewal · acme ssl renew · certbot auto renew check

How Let's Encrypt 90-day certificates renew, ACME HTTP-01 vs DNS-01, verifying renewal with an SSL checker, and fixing failed auto-renew jobs.

Open SSL Certificate Checker2026-06-23

By DN01 Network Team

Let's Encrypt issues free DV certificates valid for 90 days, assuming operators automate renewal. Manual tracking fails quickly at scale — treat ACME success as a monitored job, not a calendar note.

After every renewal deploy, confirm the live public hostname with the SSL Certificate Checker and watch notAfter move forward by ~90 days.

Hosting panels may show «SSL active» while the edge still serves an expiring cert — always validate the public hostname clients use, especially behind CDNs and reverse proxies.

ACME challenge types

HTTP-01: ACME client serves a token at `http://hostname/.well-known/acme-challenge/...` — requires port 80 reachable from the internet.

DNS-01: TXT record at `_acme-challenge.example.com` — works for wildcards and when HTTP is blocked; automate via DNS API when possible.

TLS-ALPN-01: less common, used on port 443 with specific ALPN negotiation.

Pick DNS-01 when port 80 is firewalled or you need wildcard coverage; pick HTTP-01 when DNS API automation is unavailable and port 80 is open.

When renewal fails

Check certbot or ingress controller logs for 403/timeout on challenge URL.

Confirm CAA records allow `letsencrypt.org` if CAA is published.

Rate limits: too many failed orders or duplicate certs per week — wait or use staging endpoint while debugging.

Re-run SSL Checker after fix — stale CDN edge certs may cache old expiry until purge.

Monitoring and automation

Treat ACME renewal as a cron job with alerting — silent failure is the main cause of LE outages at small shops.

After every successful renewal, confirm notAfter moved forward ~90 days on the public hostname with the SSL Certificate Checker, not only in certbot logs.

Kubernetes cert-manager and hosting panels may renew internally while the edge load balancer still serves an old secret — test the URL browsers hit.

Document which challenge type each hostname uses (HTTP-01 vs DNS-01) so DNS migrations do not break renewal without anyone noticing until expiry.

Frequently asked questions

How many days before expiry should I renew?: Automate at 30 days; alert at 14. LE recommends renewal when 1/3 lifetime remains (~30 days).
Do wildcards need DNS-01?: Yes for standard ACME clients — wildcard issuance requires DNS-01 validation.
Will renewal change my certificate fingerprint?: Usually yes — new cert, new serial. Pinning apps must update pins or avoid pinning public LE certs.
Can I test renewal without hitting production limits?: Use Let's Encrypt staging CA in certbot or cert-manager during setup — staging certs are not trusted by browsers but validate automation.
Does renewal change DNS records?: HTTP-01 does not; DNS-01 adds temporary TXT records during validation — automate cleanup after success.