diff --git a/cmdeploy/src/cmdeploy/acmetool/__init__.py b/cmdeploy/src/cmdeploy/acmetool/__init__.py
index 457b173b..3e3312e2 100644
--- a/cmdeploy/src/cmdeploy/acmetool/__init__.py
+++ b/cmdeploy/src/cmdeploy/acmetool/__init__.py
@@ -10,12 +10,10 @@ def deploy_acmetool(email="", domains=[]):
         packages=["acmetool"],
     )
 
-    files.put(
-        src=importlib.resources.files(__package__).joinpath("acmetool.cron").open("rb"),
-        dest="/etc/cron.d/acmetool",
-        user="root",
-        group="root",
-        mode="644",
+    files.file(
+        name="Remove old acmetool cronjob, it is replaced with systemd timer.",
+        path="/etc/cron.d/acmetool",
+        present=False,
     )
 
     files.put(
@@ -67,6 +65,40 @@ def deploy_acmetool(email="", domains=[]):
         restarted=service_file.changed,
     )
 
+    reconcile_service_file = files.put(
+        src=importlib.resources.files(__package__).joinpath(
+            "acmetool-reconcile.service"
+        ),
+        dest="/etc/systemd/system/acmetool-reconcile.service",
+        user="root",
+        group="root",
+        mode="644",
+    )
+
+    systemd.service(
+        name="Setup acmetool-reconcile service",
+        service="acmetool-reconcile.service",
+        running=False,
+        enabled=False,
+        daemon_reload=reconcile_service_file.changed,
+    )
+
+    reconcile_timer_file = files.put(
+        src=importlib.resources.files(__package__).joinpath("acmetool-reconcile.timer"),
+        dest="/etc/systemd/system/acmetool-reconcile.timer",
+        user="root",
+        group="root",
+        mode="644",
+    )
+
+    systemd.service(
+        name="Setup acmetool-reconcile timer",
+        service="acmetool-reconcile.timer",
+        running=True,
+        enabled=True,
+        daemon_reload=reconcile_timer_file.changed,
+    )
+
     server.shell(
         name=f"Request certificate for: {', '.join(domains)}",
         commands=[f"acmetool want --xlog.severity=debug {' '.join(domains)}"],
diff --git a/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.service b/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.service
new file mode 100644
index 00000000..1d5e7baf
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Renew TLS certificates with acmetool
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/acmetool --batch reconcile
+
diff --git a/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.timer b/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.timer
new file mode 100644
index 00000000..b4fac0ff
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Renew TLS certificates with acmetool
+
+[Timer]
+OnCalendar=*-*-* 16:20:00
+
+[Install]
+WantedBy=timers.target
diff --git a/cmdeploy/src/cmdeploy/acmetool/acmetool.cron b/cmdeploy/src/cmdeploy/acmetool/acmetool.cron
deleted file mode 100644
index 8f775b86..00000000
--- a/cmdeploy/src/cmdeploy/acmetool/acmetool.cron
+++ /dev/null
@@ -1,4 +0,0 @@
-SHELL=/bin/sh
-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
-MAILTO=root
-20 16 * * * root /usr/bin/acmetool --batch reconcile && systemctl reload dovecot && systemctl reload postfix && systemctl reload nginx