# 188 Registry Certbot Recovery > Scope: `registry.wooo.work` on host `192.168.0.188`. ## Verified State On 2026-05-12 - `registry.wooo.work` certificate expired at `May 8 04:16:08 2026 GMT`. - HTTP-01 route check: ```text http://registry.wooo.work/.well-known/acme-challenge/codex-route-check -> 301 https://aiops.wooo.work/.well-known/acme-challenge/codex-route-check -> 404 ``` - `/usr/bin/certbot` is broken by Python/OpenSSL mismatch. - `/snap/bin/certbot` exists and should be the renewal owner. - Both apt `certbot.timer` and snap `snap.certbot.renew.timer` were enabled. - The `ollama` SSH user is in sudo group but has no passwordless sudo in this session, so Codex could not apply the root-level fix directly. ## Fix Script The repo includes a root-only helper. It is dry-run by default: ```bash bash scripts/ops/188-registry-certbot-fix.sh ``` To apply on 188: ```bash sudo bash /home/ollama/awoooi-ops/188-registry-certbot-fix.sh --apply ``` The script: - creates `/var/www/certbot`; - installs `/etc/nginx/conf.d/registry-acme-http.conf`; - routes `registry.wooo.work` HTTP-01 to `/var/www/certbot`; - reloads Nginx after `nginx -t`; - renews `registry.wooo.work` via `/snap/bin/certbot`; - disables the broken apt `certbot.timer` when snap certbot is present; - prints the renewed certificate dates. ## Post-Fix Verification Run from any host with network access: ```bash curl -sI --max-redirs 0 http://registry.wooo.work/.well-known/acme-challenge/codex-route-check openssl s_client -servername registry.wooo.work -connect registry.wooo.work:443 /dev/null \ | openssl x509 -noout -subject -issuer -dates ``` Expected: - HTTP challenge path returns `404` from the `registry.wooo.work` vhost, not a redirect to `aiops.wooo.work`. - `notAfter` is renewed to a future date. - `systemctl --failed` no longer lists apt `certbot.service` after failed state reset.