Kubernetes cert-manager fails to auto renew certificates

Kubernetes cert-manager failed to renew certificates automatically. I received some expiration emails with subjects like:

Let's Encrypt certificate expiration notice for domain 'helloworld.example.com'...

My question is:

Does a Certificate object automatically renew, and how to enable the feature?
If no auto-renewal feature, then how to set an external process to periodically renew before expiration date?

Vague memory told me that cert-manager did auto-renew, but I'm not so sure.

In my environment, the current running cert-manager version is 1.0.4 version, a typical certificate object is defined like:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-letsencrypt-production
  namespace: default
spec:
  dnsNames:
  - helloworld.example.com
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: letsencrypt-production
  secretName: helloworld-production

Thanks,