I know there’s been a bunch of renewal problems on here, so I’m hoping this one might give some greater insight as to what the root cause is…
 I got an email from LetsEncrypt saying the certificate would expire in 19 days time (first notification from them, nothing from ee). This is the first renewal for this domain. So I tried manually:
sudo ee site update mydomain.com --letsencrypt=renew
I tried a number of times but all failed. tail /var/log/ee/ee.log:
2017-07-20 01:28:21,162 (DEBUG) ee : Running command: date -d “openssl x509 -in /etc/letsencrypt/live/mydomain.com/cert.pem -text -noout|grep “Not After”|cut -c 25-” +%s 2017-07-20 01:28:21,171 (DEBUG) ee : Command Output: 1502237940, Command Error: 2017-07-20 01:28:21,172 (ERROR) ee : Your current cert will expire within 19 days.
 So I moved on to trying certbot directly with:
/opt/letsencrypt/certbot-auto certonly --webroot --webroot-path=/var/www/mydomain.com/htdocs -d mydomain.com
This gave screens of:
rm: cannot remove ‘/home/myuser/.local/share/letsencrypt/pip-selfcheck.json’: Permission denied rm: cannot remove ‘/home/myuser/.local/share/letsencrypt/lib/python2.7/os.pyc’: Permission denied etc
And sure enough everything in /home/myuser/.local/share/letsencrypt/ and below is owned by root.
 So I tried running as sudo:
sudo /opt/letsencrypt/certbot-auto certonly --webroot --webroot-path=/var/www/mydomain.com/htdocs -d mydomain.com
This gave directory ownership errors:
The directory ‘/home/myuser/.cache/pip/http’ or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag. The directory ‘/home/myuser/.cache/pip’ or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.
 For the heck of it, I decided to try sudo with the -H flag (sets home as target user):
sudo -H /opt/letsencrypt/certbot-auto certonly --webroot --webroot-path=/var/www/mydomain.com/htdocs -d mydomain.com
This renewed successfully:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/mydomain.com-0001/fullchain.pem.
However, this updated certificate was not showing in the web browser (i.e. the expiry date had not changed).
 Checking /var/www/mydomain.com/conf/nginx/ssl.conf showed:
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
So certbot has created a new directory for the renewal! I manually updated these paths to point to /mydomain.com-0001/ (as reported by certbot) instead of /mydomain.com/ and restarted nginx… now the browser does see the new certificate just fine. (I guess I could copy the new certificates over the old ones…?)
I’m not recommending anyone do this however. Firstly, ee doesn’t know about the new expiry (ee site info still shows the old one). Secondly, amending ssl.conf is probably a bad idea generally.
What’s the proper fix for this? It seems to me that certificates are being created with the wrong file permissions, which makes renewals fail?