Let’s Encrypt certificates are valid for 90 days. You should renew before day 60 to give yourself a safety margin. Here’s how to renew with GetHTTPS (manual) and Certbot (automatic).
Method 1: Renew with GetHTTPS (manual)
Repeat the same steps you used to get the original certificate:
- Go to gethttps.com/app/setup
- Enter the same domain(s)
- Complete an HTTP-01 or DNS-01 challenge (same as before)
- Download the new certificate files
- Replace the old files on your server:
sudo cp fullchain.pem /etc/ssl/gethttps/fullchain.pem sudo cp privkey.pem /etc/ssl/gethttps/privkey.pem sudo systemctl reload nginx # or apache2/httpd
Time: 2-3 minutes once you’ve done it before.
When to use: You don’t have server access to install Certbot, you manage a small number of domains, or you prefer not to install software.
Method 2: Automatic renewal with Certbot
If Certbot is installed on your server, renewals happen automatically:
# Check if auto-renewal is set up
sudo systemctl list-timers | grep certbot
# Manual dry-run to test
sudo certbot renew --dry-run
# Force renewal now
sudo certbot renewCertbot’s systemd timer (or cron job) runs twice daily and renews certificates within 30 days of expiry.
When to use: You have root access to the server and want zero-touch renewals.
How to check when your certificate expires
# Check from the server
openssl x509 -noout -enddate -in /etc/ssl/gethttps/fullchain.pem
# Check remotely
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -enddateOutput example: notAfter=Aug 5 12:00:00 2026 GMT
Set a reminder
- Day 0: Certificate issued (valid 90 days)
- Day 60: Renew (recommended — 30-day safety margin)
- Day 90: Certificate expires — site shows security warning
Set a calendar reminder for day 60. If you’re managing multiple domains, use a monitoring service to alert on upcoming expirations.
Step-by-step: renewal with GetHTTPS
Here’s the exact process for manual renewal:
-
Check current expiry (optional but good practice):
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -enddate -
Go to gethttps.com/app/setup
-
Enter the same domain(s) as the original certificate
-
Complete the challenge — same as the first time:
- HTTP-01: place the new token file on your server
- DNS-01: update the
_acme-challengeTXT record with the new value
-
Download the new certificate files
-
Replace on your server:
sudo cp fullchain.pem /etc/ssl/gethttps/fullchain.pem sudo cp privkey.pem /etc/ssl/gethttps/privkey.pem -
Reload the web server (not restart — reload picks up new files without dropping connections):
sudo systemctl reload nginx # Nginx sudo systemctl reload apache2 # Apache/Debian sudo systemctl reload httpd # Apache/CentOS -
Verify the new certificate is active:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
Total time: 2-3 minutes once you’ve done it before.
Renewal comparison: manual vs automatic
| GetHTTPS (manual) | Certbot (automatic) | |
|---|---|---|
| Effort per renewal | 2-3 minutes | Zero (cron job) |
| Server access needed | Only for file replacement | Full access (root) |
| Failure detection | You notice when the site breaks | Certbot logs + can email on failure |
| Best for | 1-5 domains, no root access | Production servers, many domains |
| Risk of forgetting | Medium (set reminders!) | Low (automated) |
For production servers with root access, set up Certbot for automatic renewal. For environments without root access, GetHTTPS manual renewal is the only option.
The 47-day future
The CA/Browser Forum voted to reduce maximum certificate validity:
| Effective date | Maximum validity |
|---|---|
| Current | 90 days (Let’s Encrypt) |
| March 2026 | 200 days |
| March 2027 | 100 days |
| March 2029 | 47 days |
By 2029, you’ll need to renew roughly every 30-35 days. This makes automated renewal (Certbot) increasingly important. For manual workflows (GetHTTPS), consider setting up more frequent reminders.
Frequently asked questions
Can I renew before the certificate expires?
Yes. Let’s Encrypt allows renewal at any time. The new certificate starts fresh with a new 90-day validity period. Early renewal doesn’t waste any remaining time — it just replaces the old certificate.
Do I need to re-do the challenge every time?
Yes. Each renewal requires a new domain validation challenge. This is a security feature — it confirms you still control the domain.
Will renewal cause downtime?
No, if done correctly. Upload the new files and reload (not restart) the web server. nginx -s reload and apachectl graceful apply new certificates to new connections without dropping existing ones.
Can I use GetHTTPS for the first cert and Certbot for renewals?
Yes. The certificate files are standard PEM format. You can generate the first certificate with GetHTTPS, then install Certbot for ongoing automatic renewal. They don’t conflict. Detailed comparison →
What if I missed the renewal deadline and my cert expired?
Your site shows a browser security warning, but the fix is simple: go to GetHTTPS, get a new certificate, replace the files, reload the server. Takes 5 minutes. There’s no penalty from Let’s Encrypt for letting a certificate expire — just get a new one.
Do I need to use the same key pair when renewing?
No. GetHTTPS generates a new key pair each time, which is actually better security practice (key rotation). The server doesn’t care if the new certificate uses a different key — just replace both fullchain.pem and privkey.pem together.
How do I renew a wildcard certificate?
Same process as the initial issuance: visit GetHTTPS, enter *.example.com, add the new _acme-challenge TXT record in DNS, verify, download. You need DNS access each time because wildcard certificates require DNS-01.