Let's Encrypt (64% market share) and Google offer free HTTPS certificates with auto renewal. Industry-wide all certificate validity periods will decrease to 47 days by 2029 (digicert, globalsign). Below are some example scripts, the last of which should be called from cron. Noodle now has a built in setting to automatically setup certbot.

Settings

DOMAIN=noodle.example.com
EMAIL=me@example.com
PASS=example
DIR=/opt/Noodle/ACME

Initialize

. /opt/Noodle/settings.sh
apt install -y certbot
systemctl disable certbot
mkdir $DIR
certbot register --agree-tos --no-eff-email -m "$EMAIL"
certbot certonly --webroot \
	--webroot-path $DIR \
	--cert-name "$DOMAIN" \
	-d "$DOMAIN"
/opt/Noodle/deploy.sh

Deploy

systemctl restart noodle.service

Renew

. /opt/Noodle/settings.sh
certbot renew --webroot \
	--webroot-path $DIR \
	--cert-name "$DOMAIN" \
	--deploy-hook /opt/Noodle/deploy.sh

Currently Noodle must be restarted to reload the keystore.