How to set up automatic certificate renewal with Certbot
Configure Certbot to automatically renew Let's Encrypt certificates before expiration using systemd timers or crontab.
Configure automatic SSL certificate renewal to prevent Let's Encrypt certificates from expiring by using Certbot's built-in renewal mechanism with systemd timers or crontab.
Prerequisites
- Certbot installed with at least one active certificate
- Root or sudo access
Step-by-Step: Set Up Automatic Renewal with Certbot
1. Test Certbot Renewal in Dry-Run Mode
Certbot's
renew --dry-run simulates the renewal process without making changes:
sudo certbot renew --dry-runCertbot tests each certificate and reports whether renewal would succeed. Fix any errors before configuring automatic renewal.
2. Verify the Systemd Timer Is Active (Ubuntu 18.04+)
Certbot installed via snap or apt creates a systemd timer that runs renewal twice daily:
systemctl list-timers | grep certbotIf the timer appears and is active, automatic renewal is already configured. No further action is needed.
3. Create a Crontab Entry If No Timer Exists
If no systemd timer is active, add a crontabentry that runs Certbot renewal twice daily:
sudo crontab -eAdd the following line:
0 3,15 * * * certbot renew --quiet --deploy-hook "systemctl reload nginx"Certbot checks all certificates twice daily (3:00 AM and 3:00 PM) and renews those expiring within 30 days. The
--deploy-hook reloads Nginx only when a certificate is actually renewed.
How to Verify Automatic Renewal Is Working
Check Certbot's renewal log for recent activity:
sudo cat /var/log/letsencrypt/letsencrypt.log | tail -20Common Issues
Certbot shows "Certificate not yet due for renewal"— This is normal. Certbot only renews certificates within 30 days of expiration. See Certbot: not due for renewal.