Advanced Topics
Troubleshooting​
Where to find logs​
# Certbot logs
/var/log/letsencrypt/letsencrypt.log
# View last lines
tail -100 /var/log/letsencrypt/letsencrypt.log
# Run with debug
certbot certonly --nginx -d domain.com --debug
Common errors and solutions​
Challenge failed - Port 80 blocked​
ERROR: Challenge failed for domain domain.com
Type: connection
Detail: Fetching http://domain.com/.well-known/acme-challenge/xxx: Connection refused
Cause: Let's Encrypt cannot access port 80.
Solutions:
# Check if port 80 is open
curl -I http://domain.com/.well-known/acme-challenge/test
# Check firewall
sudo ufw status
sudo iptables -L -n | grep 80
# Check if Nginx/Apache is running
systemctl status nginx
Rate limit exceeded​
ERROR: too many certificates already issued for exact set of domains
Cause: Exceeded the limit of 5 identical certificates per week.
Solutions:
# Use staging for tests (doesn't count against rate limit)
certbot certonly --test-cert --nginx -d domain.com
# Wait 1 week or use different domain for tests
DNS problem - NXDOMAIN​
ERROR: DNS problem: NXDOMAIN looking up A for domain.com
Cause: Domain doesn't exist or DNS hasn't propagated.
Solutions:
# Check if DNS is configured
dig A domain.com
dig AAAA domain.com
# Check propagation
nslookup domain.com 8.8.8.8
Unauthorized - CAA record​
ERROR: CAA record for domain.com prevents issuance
Cause: CAA record doesn't authorize Let's Encrypt.
Solution:
# Check current CAA
dig CAA domain.com
# Add Let's Encrypt to CAA (at DNS provider)
domain.com. CAA 0 issue "letsencrypt.org"
Testing renewal​
# Simulate renewal (doesn't actually renew)
certbot renew --dry-run
# If it fails, check details
certbot renew --dry-run --debug-challenges
Certificate Revocation​
When to revoke?​
| Situation | Action |
|---|---|
| Private key compromised | Revoke immediately |
| Server hacked | Revoke after regaining control |
| Domain sold/transferred | Revoke before transfer |
| Certificate issued by mistake | Revoke |
| Normal renewal | No need to revoke |
How to revoke​
# Revoke using local certificate
certbot revoke --cert-path /etc/letsencrypt/live/domain.com/cert.pem
# Revoke using private key (if you no longer have the cert)
certbot revoke --cert-path /path/to/cert.pem --key-path /path/to/privkey.pem
# Revocation reasons (optional)
certbot revoke --cert-path /path/to/cert.pem --reason keycompromise
# Reasons: unspecified, keycompromise, affiliationchanged, superseded, cessationofoperation
After revoking​
# Remove revoked certificate from Certbot
certbot delete --cert-name domain.com
# Issue new certificate
certbot certonly --nginx -d domain.com
Revocation is irreversible
After revoking, the certificate enters the CRL (Certificate Revocation List) and browsers will reject it. There is no way to "unrevoke".
Backup and Migration​
Complete backup​
# Backup entire Let's Encrypt configuration
sudo tar -czvf letsencrypt-backup-$(date +%Y%m%d).tar.gz /etc/letsencrypt/
# Important files:
# /etc/letsencrypt/live/ - Current certificates (symlinks)
# /etc/letsencrypt/archive/ - Certificate history
# /etc/letsencrypt/renewal/ - Renewal configurations
# /etc/letsencrypt/accounts/ - ACME account credentials
Migrate to new server​
# On OLD server - create backup
sudo tar -czvf letsencrypt-backup.tar.gz /etc/letsencrypt/
# Transfer to new server
scp letsencrypt-backup.tar.gz user@newserver:/tmp/
# On NEW server - restore
sudo tar -xzvf /tmp/letsencrypt-backup.tar.gz -C /
# Install Certbot on new server and other plugins if needed
sudo apt install certbot python3-certbot-nginx
# Verify restored certificates
certbot certificates
# Test renewal
certbot renew --dry-run
Migration without backup​
If you don't have a backup, issue new certificates on the new server:
# On new server (after DNS points to it)
certbot certonly --nginx -d domain.com
Domain transfer
When transferring a domain to another owner, revoke your certificates first. The new owner can issue their own certificates.
Certificate Transparency​
Certificate Transparency (CT) is a public system that logs all certificates issued by CAs. This allows:
- Detecting fraudulent certificates
- Monitoring issuances for your domain
- Auditing CAs
Query issued certificates​
Use crt.sh to see all certificates issued for your domain:
# Via browser
https://crt.sh/?q=yourdomain.com
# Via API
curl "https://crt.sh/?q=yourdomain.com&output=json" | jq
Automatic monitoring​
Set up alerts to be notified when new certificates are issued:
Option 1: Facebook Certificate Transparency Monitoring
- Go to developers.facebook.com/tools/ct
- Register your domain to receive email alerts
Option 2: Certspotter (free)
# Query via API
curl "https://api.certspotter.com/v1/issuances?domain=yourdomain.com&include_subdomains=true&expand=dns_names"
Option 3: Monitoring script
#!/bin/bash
# Check for new certificates (run via cron)
DOMAIN="yourdomain.com"
CERTS=$(curl -s "https://crt.sh/?q=${DOMAIN}&output=json" | jq length)
echo "Total certificates for ${DOMAIN}: ${CERTS}"
Why monitor?​
| Scenario | What it means |
|---|---|
| Certificate you didn't issue | Possible compromise or attack |
| Many certificates in short period | Possible abuse or misconfiguration |
| Certificate from unknown CA | Investigate immediately |
CT is public
All Let's Encrypt certificates appear in CT logs. This is normal and expected - transparency increases ecosystem security.