After setting up a couple of sites (including this one) with Let's Encrypt free certificates to enable HTTPS, I looked at what I had made and saw that it was good. So I sort of left it at that.

I was aware that the certificates issued had a very short validity period (3 months) but I kicked that particular issue into the actually-not-so-long grass for future me to deal with.

I recently started receiving reminder emails to tell me that the certificates would be expiring soon, so I figured it was about time to do something about it. While the process itself is simple (certbot renew if you just want to repeat what certbot did the first time around), the various pages about it mention that you should actually run the auto renew process on a schedule. Surprisingly, the official documentation doesn't do a great job of explaining that this is already set up out of the box and just needs enabling. Most pages I came across mentioned setting up a cron job, which is what I was about to do anyway, others mention that the installation of certbot should actually set up a cron job for you (I couldn't find one on my CentOS 7 system), and I also found a few pages describing how to set up a systemd timer to do the same thing.

It's actually a lot simpler than that. Current certbot packages will create a systemd timer by default. Just turn it on and make sure it's set to start at boot:

systemctl enable certbot-renew.timer

systemctl start certbot-renew.timer

Done! You can set up any pre/post hooks by editing the environment file at /etc/sysconfig/certbot but for me the default renew command worked just fine.