@Jaegs, ups, two questions in the same post means more beer you would need to pay 
As root, create an entry on your crontab:
# crontab -e
and add a line like this:
17 */12 * * * /path/to/letsencrypt-auto renew
It will check every 12 hours (00:17 and 12:17) whether your certificates need to be renewed, if they doesn’t the command will do nothing. You should change /path/to by the right path where letsencrypt-auto is located.
The problem with this command is that your root user will receive a mail twice a day (every time the command is executed), to avoid this you can use the --quiet switch of letsencrypt-auto:
17 */12 * * * /path/to/letsencrypt-auto renew --quiet
And you won’t receive any mail… well, only if the command has some error but you won’t even notice whether the cert has been renewed, so lets add the following:
17 */12 * * * /path/to/letsencrypt-auto renew --quiet --no-self-upgrade --renew-hook 'echo "\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n" >&2'
So, with this last command you won’t receive a mail every day but will receive a mail if some error occurs and when the cert is being renewed.
But… if the cert is renewed you will need to reload your apache to use the new issued cert is used so lets add a command to reload your apache.
17 */12 * * * /path/to/letsencrypt-auto renew --quiet --no-self-upgrade --renew-hook 'echo "\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n" >&2' --post-hook "service apache2 reload"
Before put anything of the above in your crontab, you should check that it will work fine in your system, so as root, execute the command without the --quiet option and with --dry-run option to simulate the renewal.
# /path/to/letsencrypt-auto renew --dry-run --no-self-upgrade --renew-hook 'echo "\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n" >&2' --post-hook "service apache2 reload"
Note: in case you want that mails sent by cron use any other mail address than root, when you edit your cron job with crontab -e, at the beginning of the file you can use the variable MAILTO.
MAILTO="jaegs@whatever.tld" 17 */12 * * * /path/to/letsencrypt-auto renew --quiet --no-self-upgrade --renew-hook 'echo "\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n" >&2' --post-hook "service apache2 reload"
P.S.: the renew switch attempts to renew any previously-obtained certificates that expire in less than 30 days. Just in case you didn’t know it.
I hope this helps.
Cheers,
sahsanu