How do I schedule the Let's Encrypt certbot to automatically renew just after hours?

How do I schedule the Let’s Encrypt certbot to automatically renew just after hours ?
cat /usr/lib/systemd/system/certbot-renew.timer [1] I’d like that cert renew just happens between 0 and 6 AM . What I need or should to do ?

Anyway this can be an useful feature , for sites in production


Description=This is the timer to set the schedule for automated renewals

OnCalendar=*-*-* 00/12:00:00


Do you really need to do that? Renewing your certificate should cause zero downtime.

1 Like

We may need restart services that depend on the certificate like java keytool .
In my case zimbra, we need restart all services including webserver and can take 120 seconds .

I don’t understand the problem; Certbot will change the files, and then your services will re-read the files whenever they restart. LE will not come in and terminate Tomcat with prejudice. You get to pick when to restart services, which doesn’t have to be synchronized with certificate updates in any way.

when we add on /etc/letsencrypt/cli.ini , post-hook with a complex script , I’d like that just run between 0 and 6 AM

You’re already using cron, just separate one from the other. Have the post-hook drop a file, and another script that only runs in a very limited window only runs if that file is present.

Or just put the LE cron renewal to run in that limited window.

There are a lot of ways to solve this. LE doesn’t need to change anything to enable your workflow.

Yes, I just want put the LE cron run in that limited window . How I do that ? i.e. I need to read man systemd.timer and systemd.time , also can add certbot-renew.timer to /etc/systemd/system/ with [1] .

I solve myself the problem but can useful for more people.

Anyway I think I found a bug because post-hook runs when script start to renew the certificate but renew fail because acme challenge failed, that happened to me , where I should report bugs ? where ? in another topic ?

Many thanks


OnCalendar=*-*-* 00:00:00

This isn’t a bug. post-hook runs every time certbot attempts to renew a certificate, regardless of whether that attempt is successful. I think the flag you’re looking for is --deploy-hook.

1 Like