Letsencrypt Cert Expired on Self Hosted Instance - Unable to Renew

Hi, I accidentally let my bitwarden letsencrypt cert expire and now when I run ./bitwarden.sh start it fails to renew the cert.

Here’s the output –

Note: My domain name has been replaced with mydomain.com

Cert is due for renewal, auto-renewing…
Non-interactive renewal: random delay of 129 seconds
Plugins selected: Authenticator standalone, Installer None
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(‘<urllib3.connection.VerifiedHTTPSConnection object at 0x7f1c2a6ac690>: Failed to establish a new connection: [Errno -3] Try again’,)). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

I got this figured out…

  1. Ran certbot certonly on the host computer to generate a new ssl cert
  2. Copied the folder containing the cert from /etc/letsencrypt/archive/mydomain.com to /bwdata/ssl/ AND /bwdata/letsencrypt/live/
  3. Rename /bwdata/letsencrypt/renewal/mydomain.com.conf.old to kill the renewal
  4. Run ./bitwarden.sh update
  5. PROFIT

Hope this helps someone else.

You saved me from a long night of pain. Thank you.

1 Like

To renew the SSL certificate for a Bitwarden self-hosted installation on Ubuntu, log into the machine. Then, run:

./bitwarden.sh renewcert

This will do everything necessary to renew the certificate and restart Bitwarden. :+1: :+1: :+1:

1 Like

I did this exact procedure.

Nothing happened.

The certificate did not renew.

I’m trying prickly_porcupine’s method.

Thank you ! “./bitwarden.sh renewcert” worked perfectly for me. I powered on ec2 instance with bitwarden I created a while ago and abandoned. The cert expired 3 month ago. At first the command failed, but gave this hint:
“The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.”
After I allowed 0.0.0.0/0 on TCP port 80 in vpc ACL and security group, command worked smoothly without errors. Don’t forget to remove “allowed” port 80 once done. Probably more permanent solution is to figure out where certbot is trying to connect for renewal and allow only those destinations on port 80, I suspect automatic renewal will fail without it as well.