Let’s Encrypt SSL certificates expire every 90 days. Cloudways typically renews these automatically around 30 days before they expire. But when that process fails, you risk running an unsecured site, and you may only discover it once the expiration notice appears.
In this detailed guide, we’ll explore every major cause behind renewal failures, offer step-by-step fixes, and ensure you’re equipped to prevent this from happening in the future.
What Can Go Wrong With SSL Auto‑Renewals
1. .well-known/acme-challenge Path Blocked
Let’s Encrypt uses HTTP-01 validation, serving a token under /.well-known/acme-challenge/. If your .htaccess or rewrite rules block this, the renewal fails. Cloudways support confirms just such an interference is a common culprit. Reddit users echo this.
2. Interference from CDN or WAF
When your site passes through Cloudflare, StackPath, or similar, Let’s Encrypt’s validation request may get intercepted or blocked before it reaches your origin server.
3. Port 80 or 443 Not Open Or Application Access Disabled
Without open HTTP (port 80) or HTTPS (port 443), Let’s Encrypt can’t perform validation. A timeout during renewal often indicates a blocked port or maybe your application access is disabled.
4. DNS Misconfiguration
If DNS records redirect your domain away from the Cloudways server, possibly via a hidden CDN origin, the validation request fails.
5. Renewal Rate Limits
Let’s Encrypt allows a limited number of renewals (e.g., 5 per day per domain). Hitting those limits, or expiry windows, may block renewals .
How to Fix “Let’s Encrypt SSL Not Renewing Automatically” on Cloudways
We have listed down a few steps or fixes in order to deal with the SSL issues.
Step 1: Confirm Renewal Failure
In Cloudways, check if renewal shows errors. A 200 OK indicates the challenge endpoint is reachable if you test it via SSH/CLI but you can also check with any online SSL checker.
Step 2: Fix .htaccess
For rules, you need to access .htaccess file in your application’s root directory, add at the code at the top:
RewriteEngine On RewriteRule ^\.well-known/acme-challenge/ - [L]
Now you need to save and attempt renewal for SSL. For Cloudways users, just rename your .htaccess file or retry with the default .htaccess file to test the SSL renewal.
Step 3: Bypass CDN or WAF
- Pause proxy/CDN such as Cloudflare.
- Ensure DNS A record points directly to your server.
- Renew SSL using Cloudways “Renew SSL” button.
- Once successful, re-enable your CDN or WAF.
Step 4: Verify Ports 80 & 443
Check your server firewall. You can verify it via online port checker or you can reach out to cloudways support regarding port issues. If the port will be closed, this is how you can verify.
Step 5: Manual Renewal via Cloudways
Here’s how you can renew SSL on Cloudways Platform manually.
- Go to Concern Application → SSL Certificate Settings → Renew SSL.
- Watch for errors in the logs, address the .htaccess file, check CDN, or port issues if it fails.
- Keep in mind Cloudways limits manual renewal to 5 per day usually.
Step 6: After Renewal Validate Everything
- You can test the SSL via any SSL certificate validator or SSL checker.
- Check new certificate details (expiration date) in the browser or via SSL Labs.
- Re-enable .htaccess rules and CDN/WAF if applicable.
Advanced Considerations
- Wildcard certificates use DNS-01 validation: check CNAME _acme-challenge records.
- Root CA updates: Cloudways has updated the trust store (e.g., removed DST Root CA X3, uses ISRG Root X1).
- Outages at Let’s Encrypt or Cloudways: Track via status pages; issues resolved quickly.
Conclusion
Successful auto-renewal on Cloudways stems from three core elements:
- Unblocked challenge path (/.well-known/acme-challenge/).
- Clear DNS pointing to the correct server.
- Open ports 80/443 and no CDN/WAF interference.
Adjusting .htaccess, temporarily disabling conflicting services, and ensuring correct network/firewall settings typically resolve most renewal failures. With this setup fixed once, future renewals should occur seamlessly, a stable, secure flow.
Frequently Asked Questions
1. My SSL expired, what now?Rename .htaccess, pause CDN/WAF, open ports, then click “Renew SSL.” Once validated, restore settings and test.
2. Will I need to reapply and rewrite rules each time?
No, adding the rule once ensures future auto‑renewals proceed without further .htaccess changes.
3. What if I hit renewal rate limits?
You will have to wait for 24 hours. Let’s Encrypt limits manual renewals to 5/day; automatic renewal won’t count.
4. I use a wildcard certificate, is there anything different?
Yes, DNS-01 validation is used. Ensure you have correct _acme-challenge CNAME or TXT records set up and maintained
Salwa Mujtaba
Salwa Mujtaba is a Technical Content Writer at Cloudways. With a strong background in Computer Science and prior experience as a team lead in Cloudways Operations, she brings a deep understanding of the Cloudways Platform to her writing. Salwa creates content that simplifies complex concepts, making them accessible and engaging for readers. When she's not writing, you can find her enjoying good music, reading a book, or spending quality time with her family.
