diff --git a/README.md b/README.md
index 1dd00f7..6c55140 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,13 @@ Certbot code repository options. This role clones the agent from the configured
 
 The directory inside which Certbot will be cloned.
 
+    certbot_auto_renew: true
+    certbot_auto_renew_user: "{{ ansible_user }}"
+    certbot_auto_renew_hour: 3
+    certbot_auto_renew_minute: 30
+
+By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot-auto renew` via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
+
 ## Dependencies
 
 None.
diff --git a/defaults/main.yml b/defaults/main.yml
index ec0a908..793362c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,14 @@
 ---
+# Where to get Certbot.
 certbot_repo: https://github.com/certbot/certbot.git
 certbot_version: master
 certbot_keep_updated: yes
 
+# Where to put Certbot.
 certbot_dir: /opt/certbot
+
+# How to keep Certbot certs up to date.
+certbot_auto_renew: true
+certbot_auto_renew_user: "{{ ansible_user }}"
+certbot_auto_renew_hour: 3
+certbot_auto_renew_minute: 30
diff --git a/tasks/main.yml b/tasks/main.yml
index 5ff5548..ed076dc 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -10,3 +10,12 @@
   file:
     path: "{{ certbot_dir }}/certbot-auto"
     mode: 0755
+
+- name: Add cron job for 'certbot-auto renew' (if configured).
+  cron:
+    name: Certbot automatic renewal.
+    job: "{{ certbot_dir }}/certbot-auto renew --quiet --no-self-upgrade"
+    minute: "{{ certbot_auto_renew_minute }}"
+    hour: "{{ certbot_auto_renew_hour }}"
+    user: "{{ certbot_auto_renew_user }}"
+  when: certbot_auto_renew