With HTTPS becoming a de-facto requirement thanks to Google's web monopoly, automated SSL certificate renewals are a now standard part of any web-hosting endeavor. Those of you who use Platforms as a Service, like Vercel, may be insulated from this boring but essential housekeeping, but for people who run their own servers, ensuring that your certificate renewals are automated and reliable is an ongoing challenge.
Most people nowadays use the free SSL certificates provided by Let's Encrypt, usually with the help of their accompanying ACME client, Certbot. While Let's Encrypt used to send email reminders to ensure that your certificates were renewed before expiration, that free ssl monitoring service ended in June 2025, so it's important to ensure that your certificate renewal automation is functional and backed up with reliable monitoring.
In this guide, we'll explore how to set up and verify your automated renewal process using Certbot, along with implementing backup measures to ensure your visitors never see the terrifying "your connection is not private" error:
Step 1: Choose an ACME Client
While Certbot is the most popular Automatic Certificate Management Environment (ACME) client, ACME is an open standard, so there are numerous alternatives.
- Certbot: Most popular, easy to configure.
- acme.sh: Lightweight shell-script-based option, ideal for advanced users.
- Caddy Server: Full-featured web server, like Apache or NGINX, but with automatic HTTPS handling as a primary feature.
Step 2: Configure Your ACME Client
Instructions for certificate issuance vary by platform, and the issuance process is closely tied to auto-renewal.
I'm not going to replicate the detailed instructions here because they'll quickly go out of date, but here are the current links for each of the aforementioned clients:
- Certbot: Certbot instructions
- acme.sh: acme.sh documentation
- Caddy: Caddy automatic HTTPS
Certbot Gotchas
Ensure your system has a cron daemon installed. Some systems, such as Amazon Linux, don't have cron by default, and without it, Certbot's automated renewal jobs will never run!
Also, make sure to restart your server after automated renewal. Certbot handles this in some configurations, but not all. Check our article on how to restart your server after certificate renewal for more details.
Step 3: Verify Configuration and Implement Certificate Expiration Monitoring
Although most ACME clients help you automate renewals, failures are very common. It's important to double check the systemd timers or cronjobs responsible for these recurring checks. It depends on your configuration and client, but for Certbot, checking for the recurring jobs would look something like this:
systemctl list-timers certbot.timer
# or
crontab -l | grep certbot
Additionally, you should always incorporate certificate monitoring tools like CertNotifier to receive notifications as your certificates approach expiration. See our article on Why Let's Encrypt Auto Renewal Fails Sometimes for some of the many reasons why automated certificate renewal can fail, but the bottom line is this: automated certificate renewal can and will fail at the most inopportune times without a robust certificate monitoring solution.