User

Renewing SSL Certificates

How SSL certificate renewal works in Opterius, and what to do when it fails.

Last updated 1775606400

Let's Encrypt certificates expire after 90 days. Opterius handles renewal automatically — you shouldn't need to think about it. This article explains the mechanism and what to do when something goes wrong.

Automatic Renewal

Certbot installs a systemd timer during installation:

# Check the timer status
systemctl status certbot.timer

# See when it last ran and next run
systemctl list-timers certbot

The timer runs twice daily. On each run, certbot renew checks all issued certificates. Any cert within 30 days of expiry is renewed automatically. The timer fires at a random minute within each half-day window to spread load across millions of Let's Encrypt users.

After successful renewal, Certbot reloads Nginx so the new certificate is loaded immediately.

Checking Certificate Expiry

In Hosting Mode, go to SSL. The expiry date is shown for each certificate. Certs expiring within 30 days are flagged.

From the command line:

certbot certificates

Manual Renewal

If you need to renew a specific certificate immediately (e.g., to test that renewal works, or to recover from a failure):

  1. In Hosting Mode, go to SSL
  2. Find the certificate
  3. Click Renew Now

Or via the command line on the server:

certbot renew --cert-name domain.com --force-renewal

When Automatic Renewal Fails

If a certificate can't be renewed, it stays expired until the issue is fixed. The most common causes:

Problem Cause Fix
Domain no longer points to this server DNS changed Update A record or re-issue with correct IP
Port 80 blocked Firewall rule added after initial issuance Open port 80: ufw allow 80
Domain deleted from panel Account or domain removed after cert was issued Delete the old cert: certbot delete --cert-name domain.com
Rate limit hit Too many renewals in a short period Wait until the rate window resets (7 days)

To see exactly why renewal failed:

journalctl -u certbot -n 50
# or
cat /var/log/letsencrypt/letsencrypt.log | tail -100

Certificate Expiry Notifications

The panel sends email notifications when a certificate is expiring soon and renewal is failing. Configure the notification email in Settings → Notifications.

Let's Encrypt also sends expiry emails directly to the address used when registering Certbot (set during installation). Check both.

Next Steps

Previous
← Issuing Certificates
Next
Uploading Custom Certificates →