[GetOutOfBed]

Yeah... my own setup for a hobby project of mine renew 30 days in advance but I don't think the way it is set up will try again tomorrow if it fails today.

[Filligree]

I've got a systemd timer that tries to renew it once per day. It just aborts early if the existing cert has more than 45 days left in it.

[buboard]

i also have a daily cron. One of the renewals somehow repeatedly reissued the cert for 5 consecutive days without me noticing. For some reason the certificate was also nowhere to be found, and letsencrypt woulnd't let me manually renew the certificate because it had exceeded the limit of 5 issuances/month (or something of that sort). Thankfully the limitation is only for the exact same cert, so you can issue a new one for a slightly different set of domains without waiting for the period to pass.

[copperx]

Isn't that placing a lot of load on a free service?

[shawnz]

With certbot, the check to see if certificates are close to expiry is done offline. So the service is only hit if a renewal is needed. The developers of certbot actually recommend that you schedule the cron twice a day.

EDIT: Actually I'm wrong. It also checks if the certificate was revoked via OCSP. However I can't imagine that it consumes much resources.

[schoen]

They're also different resources, and cacheable ones.

[ceejayoz]

That free service has rate limits, which are presumably set to a sustainable level for them.

[Filligree]

"Aborts early", in this case meaning before any network calls are made.

[shawnz]

The default configuration for certbot in most distros is to attempt renewal twice a day

[yyyk]

dehydrated is easy to set up this way, and has barely any dependencies.