I’ve recently implemented and integrated the certbot into our Kubernetes cluster management via dockerization of the official certbot Docker image. Due to the ephemeral nature of the docker containers, I am facing a architecture decision of either
- building this process of always request a new LE certificate or
- registering it once first and then renewal before expiration (how soon before expiration to renew is another topic).
Having said that, I wonder if LetsEncrypt project has a certificate issuance policy guideline regarding this practice. Obviously, option 1 is going to put more load on the LE ACME server when the community gets bigger. But I have yet to see any best practice guideline to specifically forbid option 1. And it’s much much easier to implement option 1 and don’t have to worry about the certificate transitional states.
So my question is, if there is indeed a guideline about which approach to take, can someone enlighten me please? Also, will there be a strict ban on option 1 in the future if none exist now? Furthermore, how soon should I renew existing certificates before expiration (certbot doc mentions about 1 month before expiration at the time of exectution)?