Back to Learning Center
DevOps & Automation

How to Automate SSL Certificate Renewal: The Complete Guide

10 min read
Updated May 2026By CertNotify Team

Manual SSL certificate renewal is one of the leading causes of preventable outages. In 2026, with Let's Encrypt issuing free 90-day certificates and cloud providers offering managed TLS, there is no excuse for a manual renewal workflow. This guide covers every major approach — from Certbot on Linux servers to Kubernetes cert-manager and cloud-managed certificates.

The Cost of Manual Renewal

An expired SSL certificate immediately blocks all traffic to your site with a browser security warning. Search engines de-index HTTPS-only content. E-commerce loses all transactions. Every minute of downtime compounds trust damage.

Understanding the ACME Protocol

Automated Certificate Management Environment (ACME) is the protocol that powers automated certificate issuance. Originally created by Let's Encrypt, ACME is now an IETF standard (RFC 8555). It works through domain validation challenges — the CA proves you control the domain before issuing a certificate.

There are three challenge types:

HTTP-01

CA checks a specific file at http://yourdomain.com/.well-known/acme-challenge/. Requires port 80 to be open. Simplest method for single servers.

DNS-01

CA checks a TXT record in your DNS. Works behind firewalls, supports wildcard certificates. Requires DNS API access for automation.

TLS-ALPN-01

CA validates via a special TLS handshake. Requires port 443. Useful when both 80 and DNS APIs are unavailable.

Method 1: Certbot on Linux (Nginx/Apache)

Certbot is the official Let's Encrypt client. It handles certificate issuance, server configuration, and renewal automatically.

# Install Certbot (Ubuntu/Debian)

sudo apt update
sudo apt install certbot python3-certbot-nginx

# Issue certificate for your domain
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Certbot automatically configures Nginx and adds renewal cron
# Verify auto-renewal works:
sudo certbot renew --dry-run

Certbot installs a systemd timer (or cron job on older systems) that runs twice daily and renews certificates when they have less than 30 days remaining. For Apache, replace --nginx with --apache.

Method 2: Wildcard Certificates with DNS Challenge

Wildcard certificates (*.yourdomain.com) cover all subdomains but require DNS-01 challenge — meaning your DNS provider must have an API that Certbot can use to create TXT records automatically.

# Example: Wildcard cert with Cloudflare DNS plugin

pip install certbot-dns-cloudflare

# Create credentials file
cat > ~/.secrets/cloudflare.ini << EOF
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN
EOF
chmod 600 ~/.secrets/cloudflare.ini

# Issue wildcard certificate
certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
  -d "*.yourdomain.com" \
  -d "yourdomain.com"

DNS plugins exist for Route53, Cloudflare, Namecheap, GoDaddy, DigitalOcean, and most major DNS providers. Check the Certbot DNS plugins documentation for the full list.

Method 3: cert-manager on Kubernetes

For Kubernetes deployments, cert-manager is the standard tool. It integrates with Ingress controllers (nginx-ingress, Traefik, etc.) to automatically provision and renew certificates for all Ingress resources.

# Install cert-manager

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml

# Create a ClusterIssuer for Let's Encrypt
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your-email@domain.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

Then annotate your Ingress resource with cert-manager.io/cluster-issuer: letsencrypt-prod and cert-manager handles the rest — issuance, storage as Kubernetes Secrets, and automatic renewal.

Method 4: Cloud-Managed Certificates

The simplest approach for cloud deployments is using your cloud provider's managed certificate service. These renew automatically and require zero ongoing maintenance:

PlatformServiceCostNotes
AWSAWS Certificate ManagerFree for ALB/CloudFrontFully managed, auto-renewal
GCPGoogle-managed SSLFreeWorks with Load Balancers
AzureApp Service CertificatesFrom $69/yearOV available
CloudflareEdge CertificatesFree with any planEdge-only, origin cert separate
Vercel / NetlifyAuto TLSFreeAutomatic for all custom domains

Automation Checklist

Renewal runs at least 30 days before expiry (not at the last minute)
Dry-run tests pass: certbot renew --dry-run or equivalent
Systemd timer or cron job is enabled and running
Renewal hook restarts web server after certificate update
Monitoring alerts if certificate age drops below 14 days (renewal failed)
Test renewal in staging environment before production
Log output from renewal jobs is captured and reviewed

Even automated renewals can fail — monitor them

Automation failures happen: DNS propagation issues, API rate limits, network timeouts. CertNotify monitors your certificate expiry and alerts you if a renewal fails before it impacts users.

Add certificate monitoring free →