Let's Encrypt certificate doesn't automatically renew, but rebuilding does trigger the renewal

I looked at other similar topics, but couldn’t find the reason. I might have missed some info.

Automatic renewal of the SSL certificate has been failing for months on one of my forums. From acme.sh.log:

[Thu Sep 18 00:32:58 UTC 2025] error='"error":{"type":"urn:ietf:params:acme:error:connection","detail":"2a01:4f8:c17:6ebb::: Fetching https://forum.tevives.fr: Timeout during connect (likely firewall problem)","status": 400'

[Thu Sep 18 00:32:59 UTC 2025] response='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'

Rebuilding the app properly renews the certificate.

This is a standard install, no fancy stuff, no CDN, no reverse proxy, etc.

The firewall is set as:

image1188×903 48.8 KB

Any idea why this issue happens, and how to fix it?

EDIT: TL;DR: I don’t know.

When was your last rebuild? Oh, but this has been going on for a while.

There was something recently about the http port being redirected for .well-known paths, but yours it https. It doesn’t make much sense that it’d be timing out unless the acme process that’s supposed to be listening isn’t for some reason.

I rebuilt yesterday since the certificate wasn’t renewed the day before. It also failed the June 20th and I had to rebuild as well.

The other thing you can do next time is try running it by hand in the container to see if you can get some other idea then.

I recently worked on the le cert renewal. It is the http to https redirect - acme does not handle being told to redirect well at all and by default attempts to connect on the same protocol (http) as it did when it was setup initially

Recent updates to the let’s encrypt template should fix these renewals going forward.