[ownagefool]

You need the API up; that's how it works.

However, should you fail to renew a cert, your script should just keep retrying until the API is back and you should allow enough time for it to fail. I believe most clients renew certs ~10 days in advance.

Obviously if you're relying on getting a new cert to bring up something like a preview environment or to hand out your own subdomains, this will result in a downtime/delay in provisioning, but most people would be fine with a single wildcard and never really experience a problem, as long as their script runs and they keep it reasonably up-to-date.

[TimWolla]

> I believe most clients renew certs ~10 days in advance.

The recommendation and the time certbot uses is 30 days.

[tehbeard]

I've heard 10 days before, possibly older documentation?

[Arnavion]

Based on the reminder emails they've sent me, they recommend renewing when one-third of the current cert's validity is remaining. That is, 1 month for their 3-month certs.

[BrandoElFollito]

What is the problem with attempting the renewal every day?

It will predictibly fail until D-30,and then there will be 30 attempts to renew (in case something went wrong firth the 1st,2nd etc attempt)