30, 60, 90 days automating SSL renewal?

eva2000 · October 30, 2015, 1:53am

I mainly will be using Letsencrypt’s webroot authentication plugin for obtaining LE SSL certificates and the fact that Letsencrypt client in beta testing stage has yet to activate auto renewals, the question I have on my mind is how will I auto renew my SSL certificates which expire in 90 days.

Linux cron has @monthly only so I could script it to run every 30 days (@monthly). But then I thought what about auto renewals at 60 and 90 day marks ?

How are other folks planning to auto renew their LE SSL certificates ?

mholt · October 30, 2015, 3:37am

I anticipate, given that a goal with LE is automation, that the duration of validity may decrease (and there are advantages to shorter trust durations, especially in automation).

In implementing LE into Caddy, we’re starting with renewing automatically 14 days before cert expiration, with failover attempts every day until a success. So basically every 76 days for now… A conservative approach. I think attempting to renew automatically less often will be a safer bet in the early days, since automated issuance and renewal may still be a fairly high risk activity (lots of moving parts).

But renewing more often early on will help catch and fix bugs, if you don’t mind running the risk in your environment. Make sure you have good logging.

But if you’re asking for cron help, use */3 in the month field.

kelunik · October 30, 2015, 5:38am

Better use */2, that’s the default 60 days the LE client will use anyway. Giving you about 30 days time in case of a failure.

eva2000 · October 30, 2015, 7:24am

thanks @mholt and @kelunik always interested in seeing what others plan to do for auto renewals

kelunik · October 30, 2015, 8:44am

My original plan was to add a component directly to my server to renew the certificates, but I’m not sure yet. I like the separated approach more.

wizzardude · February 29, 2016, 6:59pm

I use @weekly in my crontab (see my write-up here: https://antipaucity.com/2016/02/26/automated-lets-encrypt-ssl-certificate-renewal-on-centos-7)

@monthly would also be fine. Or ‘0 0 0 */4 * *’ (which is every three months at midnight).

tlussnig · February 29, 2016, 7:27pm

i preffer an value between 5-3 days bevore expireration. To minimize the overhead.

riking · February 29, 2016, 7:37pm

Remember that the letsencrypt renew command should Do The Right Thing™, so you can run it daily if you want.

benjaminarthurt · February 29, 2016, 8:49pm

A word of warning, using letsencrypt renew (even with dry-run) with “renew_by_default = true” will quickly put you over the rate limit. (OOPS). Turning off renew_by_default is giving good results now.

schoen · March 4, 2016, 1:42am

I think renew_by_default was severely misnamed. What we originally meant by “by default” was “without asking” (as opposed to the interactive modes which would ask the user to confirm that renewal was desired). In the 0.4.0 release we added an alternative name for this feature that I think is much more accurate, which is force_renewal (as a command-line option, --force-renewal).

I’m going to try to make sure that all of our documentation in the future refers to it as --force-renewal, because I think what this does is much more apparent. (It would be quite easy to misunderstand “renew_by_default” as “try to renew when appropriate” or something.)