Currently I'm running Certbot on a regular schedule via cron or "sleep", every quarter of an hour or so.
I wonder does Certbot allow some kind of mode where it doesn't return (until ctrl+c or similar) but triggers recertifications itself? The idea is it knows better for how long to sleep for the next recertification event.
No, certbot (and most acme clients) relies on crontab or other system schedulers to wake it on a regular basis. But the work it does when woken in this way is usually entirely local: checking the expiration date on the certificates it is managing, checking the Retry-After header on the most recent ARI info it has fetched, etc. So it's quite cheap to have it frequently awoken by cron, and you've got your system set up in the recommended way 
For certbot in particular, last I checked it didn't use ARI but did check OCSP each time it woke. So it's probably doing more work than it needs to. Certbot is usually recommended to just run twice a day. I don't know if 96 times a day is really going to help anything, though other than using a little more resources I don't think it would really hurt anything.
Depends what you call "cheap". Certbot is written in Python and even for just a handful of certificates, it takes quite some time just to show them with certbot certificates.
Not that it really matters much and we're not talking minutes here (14 seconds on my system with 0,9 % out of 16 GB RAM usage), but Certbot is quite "heavy" if you ask me. It's not bloody fast Rust or something similar.
Not sure how well Certbot handles hundreds of certs 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.