diff --git a/dotfiles/weechat/letsencrypt.sh b/dotfiles/weechat/letsencrypt.sh
new file mode 100644
index 0000000..c381e63
--- /dev/null
+++ b/dotfiles/weechat/letsencrypt.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Update the weechat SSL key.  Should be called from cron via sudo.
+
+eval WEEDIR="$(printf "~%q/.weechat/" "${SUDO_USER}")"
+LIVEKEY="${WEEDIR}/ssl/relay.pem"
+
+certbot renew -q
+cat /etc/letsencrypt/live/$(hostname -f)/{privkey,fullchain}.pem > \
+  ${LIVEKEY}
+chown ${SUDO_USER}:$(id -gn ${SUDO_USER}) ${LIVEKEY}
+for fifo in ${WEEDIR}/weechat_fifo* ; do
+  echo '*/relay sslcertkey' > ${fifo}
+done