Let's Encrypt certificates are valid for only ninety days, which is significantly shorter than commercial alternatives. This short validity period was chosen deliberately to encourage automation and improve overall security on the web. Any attempt to renew certificates manually will eventually result in a forgotten domain and an angry phone call from a client. The Sayt.uz support team sees this scenario every week with customers migrating from other hosting providers, and the first thing we do is set up an automated renewal cron job.
How certbot renew actually works
The certbot utility checks the expiration date of every installed certificate and only renews those with less than thirty days remaining. This behavior is built into the program and requires no additional configuration. Running the command daily does not generate excessive traffic to Let's Encrypt servers because it skips certificates that are not yet due. This is important because Let's Encrypt enforces a rate limit of fifty certificates per registered domain per week, and a poorly configured script can easily hit that ceiling.
Setting up the cron job correctly
There are two common approaches to setting up cron: editing the user crontab or creating a file in /etc/cron.d. We recommend the second approach because a dedicated file is easier to migrate between servers and harder to accidentally delete. Create /etc/cron.d/certbot-renew with the line "0 2,14 * * * root certbot renew --quiet --deploy-hook 'systemctl reload nginx'". Running twice daily is the official Let's Encrypt recommendation and protects against scenarios where the server was offline during a scheduled attempt.
Why the deploy-hook matters
After obtaining a new certificate, the web server continues to use the old file already loaded in memory. The --deploy-hook parameter runs the specified command only when a certificate was actually renewed, not on every check. This is a crucial detail that many administrators miss, causing them to reload Nginx several times a day unnecessarily. For Apache the command is systemctl reload apache2 or httpd depending on the distribution, and mail services like Postfix and Dovecot need their own reload commands.
Monitoring and notifications
The biggest danger of automation is its invisibility โ you do not notice when something breaks until it is too late. We recommend redirecting certbot output to a log file and reviewing it weekly. An even better approach is to add a MAILTO directive at the top of the cron file to receive emails for every execution. A modern variant is sending notifications to Telegram via --post-hook with a curl call to the Bot API. This gives the administrator instant feedback in a familiar messenger.
Sayt.uz practice
At Sayt.uz, automatic Let's Encrypt renewal is configured by default for 92 percent of customers. This service is included in the base hosting price and requires no action from the user. Wildcard certificate auto-renewal uses DNS validation and costs 290,000 soum per year as a separate add-on. Corporate clients with commercial certificates receive renewal reminders sixty days in advance via Telegram and email, which helps them plan budget and avoid service disruptions.