30, 60, 90 days automating SSL renewal?


#1

I mainly will be using Letsencrypt’s webroot authentication plugin for obtaining LE SSL certificates and the fact that Letsencrypt client in beta testing stage has yet to activate auto renewals, the question I have on my mind is how will I auto renew my SSL certificates which expire in 90 days.

Linux cron has @monthly only so I could script it to run every 30 days (@monthly). But then I thought what about auto renewals at 60 and 90 day marks ?

How are other folks planning to auto renew their LE SSL certificates ?


#2

I anticipate, given that a goal with LE is automation, that the duration of validity may decrease (and there are advantages to shorter trust durations, especially in automation).

In implementing LE into Caddy, we’re starting with renewing automatically 14 days before cert expiration, with failover attempts every day until a success. So basically every 76 days for now… A conservative approach. I think attempting to renew automatically less often will be a safer bet in the early days, since automated issuance and renewal may still be a fairly high risk activity (lots of moving parts).

But renewing more often early on will help catch and fix bugs, if you don’t mind running the risk in your environment. Make sure you have good logging.

But if you’re asking for cron help, use */3 in the month field.


#3

Better use */2, that’s the default 60 days the LE client will use anyway. Giving you about 30 days time in case of a failure.


#4

thanks @mholt and @kelunik always interested in seeing what others plan to do for auto renewals :smile:


#5

My original plan was to add a component directly to my server to renew the certificates, but I’m not sure yet. I like the separated approach more.


#6

I use @weekly in my crontab (see my write-up here: https://antipaucity.com/2016/02/26/automated-lets-encrypt-ssl-certificate-renewal-on-centos-7)

@monthly would also be fine. Or ‘0 0 0 */4 * *’ (which is every three months at midnight).


#7

i preffer an value between 5-3 days bevore expireration. To minimize the overhead.


#8

Remember that the letsencrypt renew command should Do The Right Thing™, so you can run it daily if you want.


#9

A word of warning, using letsencrypt renew (even with dry-run) with “renew_by_default = true” will quickly put you over the rate limit. (OOPS). Turning off renew_by_default is giving good results now.


#10

I think renew_by_default was severely misnamed. What we originally meant by “by default” was “without asking” (as opposed to the interactive modes which would ask the user to confirm that renewal was desired). In the 0.4.0 release we added an alternative name for this feature that I think is much more accurate, which is force_renewal (as a command-line option, --force-renewal).

I’m going to try to make sure that all of our documentation in the future refers to it as --force-renewal, because I think what this does is much more apparent. (It would be quite easy to misunderstand “renew_by_default” as “try to renew when appropriate” or something.)