diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index aef8b8b4b1a2d7660bd816310212cb2d11b0b2cc..ce1f928b2738066811425a3c7e3e3c85c03ac272 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -188,6 +188,11 @@ in {
     systemd.services.${certServiceName} = {
       enable = cfg.tls;
       description = "Certificate ${domain}";
+      # Activate this unit periodically so that certbot can determine if the
+      # certificate expiration time is close enough to warrant a renewal
+      # request.
+      startAt = "weekly";
+
       serviceConfig = {
         ExecStart =
         let
@@ -203,32 +208,6 @@ in {
       };
     };
 
-    # Periodically trigger the certificate renewal service.
-    systemd.timers.${certServiceName} = {
-      enable = cfg.tls;
-      timerConfig = {
-        # "Defines a timer relative to when the unit the timer unit is
-        # activating was last deactivated."
-        #
-        # Trigger the renewal service periodically.  Since it will activate
-        # and then deactivate each time this timer triggers, this timer will
-        # trigger it repeatedly.  The delay specified here is relative to the
-        # last time the target unit is deactivated and that advances to the
-        # current time after each time the trigger fires.
-        OnUnitInactiveSec = "3d";
-
-        # "Defines a timer relative to the moment the timer unit itself is
-        # activated."
-        #
-        # Since at the time this timer is activated we're not sure whether the
-        # renewal service has ever been activated or deactivated we don't know
-        # when if or when the other trigger will fire.  This ensures that
-        # shortly after this timer is activated it will trigger.  Thereafter,
-        # the other trigger will take over for periodic re-triggering.
-        OnActiveSec = "5m";
-      };
-    };
-
     # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
     networking.firewall.allowedTCPPorts = [
       80