[Filligree]

I've got a systemd timer that tries to renew it once per day. It just aborts early if the existing cert has more than 45 days left in it.

[buboard]

i also have a daily cron. One of the renewals somehow repeatedly reissued the cert for 5 consecutive days without me noticing. For some reason the certificate was also nowhere to be found, and letsencrypt woulnd't let me manually renew the certificate because it had exceeded the limit of 5 issuances/month (or something of that sort). Thankfully the limitation is only for the exact same cert, so you can issue a new one for a slightly different set of domains without waiting for the period to pass.

[copperx]

Isn't that placing a lot of load on a free service?

[shawnz]

With certbot, the check to see if certificates are close to expiry is done offline. So the service is only hit if a renewal is needed. The developers of certbot actually recommend that you schedule the cron twice a day.

EDIT: Actually I'm wrong. It also checks if the certificate was revoked via OCSP. However I can't imagine that it consumes much resources.

[schoen]

They're also different resources, and cacheable ones.

[ceejayoz]

That free service has rate limits, which are presumably set to a sustainable level for them.

[Filligree]

"Aborts early", in this case meaning before any network calls are made.