Install and Run Let's Encrypt Certbot Every 60 Days with systemd Timer

If you're managing Let's Encrypt SSL certificates on a Linux server, you probably use Certbot to automate SSL issuance and renewal. By default, Certbot is configured to renew certificates every 60 days using a systemd timer (certbot.timer) or a cron job. But what if you want to install Certbot and then enforce exactly every 60 days using systemd?

This post shows you how to install Certbot and customize the certbot.timer to renew certificates every 60 days using systemd.

📦 Install Certbot

Depending on your Linux distribution, use one of the following commands:

For Debian/Ubuntu:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

For CentOS/RHEL:

sudo dnf install epel-release
sudo dnf install certbot python3-certbot-nginx -y

🔐 Obtain a Certificate (One-time setup)

Replace example.com with your actual domain:

sudo certbot --nginx -d example.com -d www.example.com

Follow the prompts to complete the certificate issuance and Nginx configuration.

🔁 Why 60 Days?

Let's Encrypt certificates are valid for 90 days, and the official recommendation is to renew at or before 60 days to avoid the risk of expiry due to failures or downtimes.

✅ Recommended: Automate renewals every 60 days for safety and peace of mind.

⚙️ Set Up systemd Timer to Run Every 60 Days

1️⃣ Open the Certbot Timer Override

sudo systemctl edit certbot.timer

2️⃣ Add the Override Configuration

Paste the following lines:

[Timer]
OnCalendar=
OnBootSec=10min
OnUnitActiveSec=5184000
Persistent=true

💡 What This Means:

• OnCalendar=: Clears the default calendar schedule.
• OnBootSec=10min: Waits 10 minutes after boot before the first run.
• OnUnitActiveSec=5184000: Runs the timer every 60 days (60 × 24 × 60 × 60 = 5,184,000 seconds).
• Persistent=true: Ensures missed events run at the next boot (if the server was off).

3️⃣ Save and Exit

• If using nano, press Ctrl + O then Enter, and then Ctrl + X.

4️⃣ Apply the Changes

sudo systemctl daemon-reexec
sudo systemctl restart certbot.timer

5️⃣ Confirm It’s Working

systemctl list-timers certbot.timer

Example output:

NEXT                         LEFT       LAST                         PASSED     UNIT            ACTIVATES
Sat 2025-08-21 00:00:00 UTC  60d left   Sun 2025-06-22 00:00:00 UTC  1min ago   certbot.timer   certbot.service

🔍 Bonus: Check Certificate Expiry Date

To manually check your current certificate’s expiry date:

openssl x509 -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -noout -enddate

✅ Conclusion

Using systemd's powerful timers, you can fully automate Certbot to renew every 60 days — following best practices for secure and reliable SSL management.

Just be sure to monitor for errors, and consider using email or system logs to stay informed about renewal status.