The Problem: Certificates Expire, Renewals Fail

You set up Let’s Encrypt with Caddy, Traefik, or Certbot. HTTPS works. Then 90 days later, your site goes down because the certificate expired. The renewal cron job failed silently, or the ACME challenge didn’t complete, or DNS changed.

At Canadian Web Hosting, we see this weekly: sites going offline because automated certificate renewal failed. The problem isn’t Let’s Encrypt—it’s that most users don’t understand how the renewal process actually works, what can go wrong, and how to monitor it.

This guide explains Let’s Encrypt certificate renewal from the ground up. You’ll learn:

  • How Let’s Encrypt’s ACME protocol works (beyond “it gets certs”)
  • The three renewal methods: HTTP-01, DNS-01, and TLS-ALPN-01
  • Common failure modes and how to diagnose them
  • Monitoring strategies to catch renewal failures before they cause downtime
  • Advanced topics: wildcard certificates, multi-domain SANs, and rate limits

What You Will Need

To follow along, you’ll need a server with:

  • A public IP address and domain name pointing to it
  • Root or sudo access to install packages
  • Port 80 (HTTP) or 443 (HTTPS) open for ACME challenges

For production use, we recommend a Cloud VPS from Canadian Web Hosting. Our VPS plans include Canadian data centres, 24/7 support, and full root access. Not comfortable managing certificates yourself? Add Managed Support—our team will handle setup, renewal monitoring, and troubleshooting.

How Let’s Encrypt Works: The ACME Protocol

Let’s Encrypt uses the Automated Certificate Management Environment (ACME) protocol. Unlike traditional CAs where you manually generate a CSR and wait for approval, ACME automates the entire process:

  1. Account creation: Your ACME client (Certbot, Caddy, etc.) creates an account with Let’s Encrypt
  2. Order placement: The client requests a certificate for one or more domains
  3. Authorization challenge: Let’s Encrypt asks the client to prove control of each domain
  4. Challenge completion: The client completes the challenge (HTTP, DNS, or TLS)
  5. Certificate issuance: Let’s Encrypt issues the certificate
  6. Installation: The client installs the certificate on your server

The magic—and the complexity—is in steps 3–4. Let’s break down the three challenge types.

Challenge Types: HTTP-01, DNS-01, and TLS-ALPN-01

HTTP-01 Challenge (Most Common)

Let’s Encrypt gives your ACME client a unique token. The client must make this token available at:

http://YOUR-DOMAIN/.well-known/acme-challenge/TOKEN

Let’s Encrypt then attempts to fetch this URL. If it gets the correct token back, you prove control of the domain.

Pros: Simple, works for most web servers.
Cons: Requires port 80 open and accessible from the internet. Doesn’t work for wildcard certificates.

DNS-01 Challenge (For Wildcards and Restricted Servers)

Let’s Encrypt gives your client a TXT record value. You must create a DNS record at:

_acme-challenge.YOUR-DOMAIN. IN TXT "record-value"

Let’s Encrypt queries DNS for this record. If it matches, you prove control.

Pros: Works for wildcard certificates (*.your-domain.com). Doesn’t require open ports.
Cons: Requires API access to your DNS provider. Slower (DNS propagation).

TLS-ALPN-01 Challenge (For TLS-Terminating Proxies)

A specialized challenge that happens during TLS handshake. Used by Caddy and other modern proxies.

Pros: Works even if port 80 is blocked (only needs 443). Fast.
Cons: Requires TLS-ALPN-01 support in your ACME client and server.

Renewal Process: What Actually Happens

Let’s Encrypt certificates are valid for 90 days. The renewal process is identical to initial issuance—your client must complete a fresh challenge.

Critical detail: Renewal can happen any time after the certificate is 30 days old (60 days remaining). Let’s Encrypt recommends renewing when the certificate has 30 days left.

Most clients (Certbot, Caddy) run a cron job that:

  1. Checks certificate expiry (daily)
  2. If expiry < 30 days, attempts renewal
  3. If successful, reloads the web server
  4. Logs the result

The problem? This cron job can fail silently. Common failure modes:

1. Port Blocking (HTTP-01 Failures)

If port 80 is blocked by a firewall, cloud security group, or ISP, HTTP-01 challenges fail. Solution: Use DNS-01 or ensure port 80 is open.

2. DNS Propagation Delays (DNS-01 Failures)

If your DNS provider has slow propagation (some take hours), Let’s Encrypt might query before the TXT record is visible globally. Solution: Use providers with API-based instant updates (Cloudflare, AWS Route53).

3. Web Server Configuration Changes

You moved .well-known/acme-challenge to a different location, or added authentication, or changed rewrite rules. The token is no longer publicly accessible. Solution: Test challenge URLs manually.

4. Rate Limiting

Let’s Encrypt has strict rate limits:

  • 50 certificates per registered domain per week
  • 5 failed authorizations per account per hostname per hour
  • 300 new orders per account per 3 hours

If you’re testing frequently or have many subdomains, you can hit these limits. Solution: Use staging environment for testing.

Monitoring Renewal Success

Don’t wait for expiry. Monitor proactively:

1. Certificate Expiry Monitoring

Use tools that check certificate expiry:

  • Uptime Kuma: Has SSL certificate monitoring
  • Prometheus + blackbox_exporter: Can probe SSL expiry
  • Nagios/Icinga plugins: check_ssl_cert

Set alerts for certificates expiring in < 21 days (gives you buffer). Once renewed, verify your configuration with SSL Labs to check cipher suites and protocol support.

2. ACME Client Log Monitoring

Your ACME client logs renewal attempts. Monitor these logs:

  • Certbot: /var/log/letsencrypt/letsencrypt.log
  • Caddy: stdout/stderr or journalctl -u caddy
  • Traefik: Traefik logs

Look for “ERROR” or “failed” messages. Better: parse logs with Loki/Promtail or log aggregation.

3. Web Server Configuration Test

After renewal, test that the new certificate is actually being used:

openssl s_client -connect your-domain.com:443 -servername your-domain.com 2>/dev/null | openssl x509 -noout -dates

This shows the certificate’s notBefore and notAfter dates. Verify notAfter is ~90 days in the future.

Advanced Topics

Wildcard Certificates

Wildcards (*.your-domain.com) require DNS-01 challenges. You must have API access to your DNS provider. Popular integrations:

  • Certbot with DNS plugins (cloudflare, route53, etc.)
  • Caddy with DNS providers module
  • acme.sh with 100+ DNS API integrations

Warning: Wildcards only cover one level (*.your-domain.com matches a.your-domain.com but NOT a.b.your-domain.com).

Multi-Domain SAN Certificates

A Single Certificate with Subject Alternative Names (SANs) can cover multiple domains. Useful for:

  • Multiple domains on same server (domain1.com, domain2.com)
  • WWW and non-WWW (your-domain.com, www.your-domain.com)
  • Different TLDs (your-domain.com, your-domain.ca)

Each domain in the SAN list must pass its own challenge.

Staging vs Production Environment

Let’s Encrypt provides a staging environment (acme-staging-v02.api.letsencrypt.org) with higher rate limits and fake certificates. Use it for:

  • Testing new configurations
  • Debugging challenge failures
  • Automation development

Staging certificates aren’t trusted by browsers—they’re for testing only.

Common Problems and Solutions

Problem: “Too many registrations for this IP”

You’ve hit the rate limit. Wait 1 week or use a different IP address.

Problem: “Validation failed for domain”

The challenge failed. Check:

  • HTTP-01: Can you access http://your-domain.com/.well-known/acme-challenge/test? (Create a test file)
  • DNS-01: Use dig TXT _acme-challenge.your-domain.com to verify the record
  • TLS-ALPN-01: Check that port 443 is open and your proxy supports TLS-ALPN-01

Problem: “Certificate not yet due for renewal”

Your certificate has > 30 days left. Wait, or force renewal with –force-renewal flag (but respect rate limits).

Problem: Web server not reloading after renewal

The certificate renewed but the web server is still using the old one. Manually reload:

  • Nginx: nginx -s reload
  • Apache: systemctl reload apache2
  • Caddy: systemctl reload caddy

Conclusion

If you’re just getting started, our Let’s Encrypt setup guide covers initial installation. Let’s Encrypt automated certificate renewal works reliably—when you understand the mechanics. The key takeaways:

  1. Choose the right challenge type for your environment (HTTP-01 for simple web servers, DNS-01 for wildcards)
  2. Monitor proactively—don’t wait for expiry. Check certificate dates and ACME client logs.
  3. Test in staging before changing production configurations.
  4. Have a fallback plan—if automated renewal fails, know how to manually renew.

At Canadian Web Hosting, we help customers with SSL certificate setup and monitoring as part of our Managed Support services. Whether you’re running a simple WordPress site or a complex multi?domain setup, our team can ensure your certificates renew automatically and your sites stay online.

Need help with Let’s Encrypt or SSL certificates? Contact our support team—we’re here 24/7.