Steps to renew SSL certificates generated using Certbot for Nginx on Ubuntu

Let’s Encrypt’s certificates are valid only for ninety days and needs a renewal after that either automatic or manual. Renewing SSL certificates with Certbot is generally a smooth process, but what if there are errors.

In this post we'll cover the automatic renewal of SSL certificates generated using Let’s Encrypt and Certbot for Nginx. We'll also see how we can dry run the renewal process and work around one of the most common issue while using port 80 with a web server.

Prerequisites:

An Ubuntu server with SSH access and packages updated
Nginx installed on Ubuntu with firewall allowing ports 443 and 80
A domain name with DNS records pointing to the public IP of your server and a nginx server block setup for it
SSL setup for the domain using Certbot

Steps to renew SSL certificates created with Certbot and Let’s Encrypt for Nginx:

When necessary, Certbot will renew the certificates and reload Nginx to pick up the changes. If the automated renewal process fails, Let’s Encrypt will send a message to the email we specified while generating the certificates, warning us when the certificate is about to expire.

Checking if any certificate is due for renewal:

sudo certbot certificates

Checking if any certificate is due for renewal

Attempting the renewal or dry-run the renewal process to identify errors if any:

sudo certbot renew
or
sudo certbot renew --dry-run

renewal-dry-run-error

renewal-error

Certbot, when using the standalone plugin, attempts to use port 80 to create a temporary web server for the certificate renewal process. If another service, like a web server (e.g., Nginx or Apache), is already using port 80, Certbot cannot bind to it, leading to the error.

Sample error: Failed to renew certificate domain-name: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

You'll need to determine which service is using port 80. Common suspects include web servers like nginx in our setup, but it could be other applications as well.

sudo lsof -i :80

identify user of port 80

Once you've identified the service, you need to temporarily stop it to free up port 80. The command to stop the service depends on your operating system and the specific service.

sudo systemctl stop nginx
sudo systemctl status nginx

stop nginx

After stopping the service, you can rerun the Certbot command to renew the certificate.

sudo certbot renew

After successfully renewing the certificate, restart the service that was previously using port 80.

sudo systemctl start nginx

renew certificate and restart nginx

And that's it we are done. We have successfully renewed the SSL certificate for our domain. Regularly renewing your SSL certificates is crucial for maintaining the security and trustworthiness of your website.