From b0d30dd475658e8fb5411cb4c4a81fe927ea5431 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sat, 17 Oct 2020 12:31:01 +0200
Subject: [PATCH] certbot: Disable built-in random-sleep

certbot by default sleep 1-480 seconds before renewing, to avoid all
people renewing at :00. In our case the logic is is unnecessary as
systemd is handling it (RandomizedDelaySec=24h).
---
 roles/certbot/files/certbot-renewal.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/certbot/files/certbot-renewal.service b/roles/certbot/files/certbot-renewal.service
index ac5ad5de..30577725 100644
--- a/roles/certbot/files/certbot-renewal.service
+++ b/roles/certbot/files/certbot-renewal.service
@@ -4,6 +4,7 @@ Description=Let's Encrypt renewal
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/certbot renew --rsa-key-size 4096 \
+    --no-random-sleep-on-renew \
     --pre-hook   "/etc/letsencrypt/hook.sh pre"      \
     --post-hook  "/etc/letsencrypt/hook.sh post"     \
     --renew-hook "/etc/letsencrypt/hook.sh renew"