How to renew SSL certificates automatically - Rocketeers app [ Rocketeers ](/) [Login](https://rocketeersapp.com/login) On this page Knowledge --------- How to renew SSL certificates automatically =========================================== ### [\#Security](https://rocketeersapp.com/knowledge/security) Let's Encrypt certificates last 90 days, so renewal has to be automatic. Here is how to set up Certbot to renew every certificate and reload Nginx on its own. Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on June 30, 2026 · 2 minute read 1. [How Certbot renewal works](#content-how-certbot-renewal-works) 2. [Test renewal first](#content-test-renewal-first) 3. [Set up the renewal cron job](#content-set-up-the-renewal-cron-job) 4. [The systemd alternative](#content-the-systemd-alternative) 5. [Confirm what's scheduled to renew](#content-confirm-whats-scheduled-to-renew) 6. [Let Rocketeers handle it](#content-let-rocketeers-handle-it) A [Let's Encrypt](https://letsencrypt.org) certificate is valid for 90 days. That short lifetime is deliberate — it forces automation, so a forgotten certificate can never linger and become a problem. The flip side is that renewal is not optional: if it isn't automatic, your site eventually goes dark with a [your connection is not private](/your-connection-is-not-private) warning. Here's how to make sure that never happens. This assumes you've already [installed Certbot](/how-to-install-certbot) and issued a certificate. [\#](#content-how-certbot-renewal-works "Permalink")How Certbot renewal works ----------------------------------------------------------------------------- When Certbot issues a certificate it saves a renewal config under `/etc/letsencrypt/renewal/`, recording the domains, the challenge method, and the credentials it used. From then on, one command renews everything it manages: ``` sudo certbot renew ``` The important detail: `certbot renew` only actually renews a certificate when it's within 30 days of expiry. Every other run is a no-op. That's why it's safe — and recommended — to run it far more often than the certificate's lifetime would suggest. [\#](#content-test-renewal-first "Permalink")Test renewal first --------------------------------------------------------------- Before trusting it, do a dry run against the staging servers. It exercises the entire renewal path without touching your real certificates or hitting rate limits: ``` sudo certbot renew --dry-run ``` If that completes cleanly, automatic renewal will work. [\#](#content-set-up-the-renewal-cron-job "Permalink")Set up the renewal cron job --------------------------------------------------------------------------------- Add a cron entry that renews daily and reloads Nginx afterwards — the reload is what makes Nginx pick up the new certificate without dropping connections: ``` echo '0 0 * * * root /usr/local/bin/certbot renew --quiet --post-hook "service nginx reload" > /dev/null 2>&1' \ | sudo tee /etc/cron.d/certbot ``` Breaking that down: - `0 0 * * *` runs it every day at midnight. - `--quiet` keeps it silent unless something actually happens. - `--post-hook "service nginx reload"` reloads Nginx **only** when a certificate was renewed, so it isn't reloading needlessly every day. Running daily means that even if one renewal fails, you have ~30 days of retries before the certificate actually expires. [\#](#content-the-systemd-alternative "Permalink")The systemd alternative ------------------------------------------------------------------------- On modern Ubuntu, Certbot often installs a `systemd` timer that does the same job. Check whether one is already active before adding a cron job: ``` systemctl list-timers | grep certbot ``` If you see `certbot.timer`, renewal is already scheduled — you only need to make sure a reload hook is configured. Use one mechanism or the other, not both. [\#](#content-confirm-whats-scheduled-to-renew "Permalink")Confirm what's scheduled to renew -------------------------------------------------------------------------------------------- List every certificate Certbot manages and its expiry date: ``` sudo certbot certificates ``` For peace of mind, [check the expiry of the live certificate](/check-ssl-certificate-expiration) the way a browser sees it, and consider a monitoring alert so you hear about a stalled renewal long before visitors do. [\#](#content-let-rocketeers-handle-it "Permalink")Let Rocketeers handle it --------------------------------------------------------------------------- Automatic renewal is a chain — the cron job has to exist, the reload hook has to fire, the DNS or HTTP challenge has to keep working, and someone has to notice if a renewal quietly fails three months from now. Rocketeers renews every certificate across every server it manages and reloads the web server for you, and it surfaces any failure so a certificate never silently lapses. If you'd rather not run certificates on the origin at all, you can also [terminate SSL at Cloudflare](/a-plus-grade-ssl-using-cloudflare). ### Subscribe to our newsletter Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now! Fill in your email address to receive updates Subscribe #### More in [\#Security](https://rocketeersapp.com/knowledge/security) - [How to extract the certificate from a PFX file](https://rocketeersapp.com/knowledge/extract-certificate-from-pfx-file) - [How to extract private key from PFX file](https://rocketeersapp.com/knowledge/extract-private-key-from-pfx-file) - [How to optimize web application security](https://rocketeersapp.com/knowledge/optimize-web-application-security) - [How to get A+ grade SSL using Cloudflare](https://rocketeersapp.com/knowledge/a-plus-grade-ssl-using-cloudflare) - [How to setup OpenClaw securely on your own VPS](https://rocketeersapp.com/knowledge/setup-openclaw-vps-securely) - [How to generate a CSR with OpenSSL](https://rocketeersapp.com/knowledge/generate-csr-with-openssl) [View all 15 articles →](https://rocketeersapp.com/knowledge/security)