Better 95 days expiration

90 days is not good for cron; if it was 95 days, I could renew my certificates automagically every, say, 5th of every third month; with 90 days that does not work :frowning:

It’s actually recommended to renew 30 days before expiration, and to attempt renewal twice daily. Certbot, by default, will only renew certificates expiring within 30 days. Running only one renewal attempt like this puts you at risk for intermittent failures causing a real issue.

1 Like

I see: I should try every, say 5th of every second month, to renew the certs, and then twice daily loop over the result, until its successful - that again does rule out cron, because that way I might start early and collect a penalty? That is, because the recommended expiration of 60 days is > 28 + 31.

We implemented logic in Certbot (not the only client) where it looks at the expiry time of each individual certificate. If that certificate is less than 30 days from expiry, then it attempts to renew it immediately. Otherwise, it doesn’t attempt to renew it.

Therefore, we don’t have to rely on a particular schedule of renewal attempts that might be disrupted due to system downtime or failed renewal attempts. If we fail to renew on one occasion, we will try again as soon as possible.

This allows certbot renew to be run from cron extremely often without hitting a rate limit. The overwhelming majority of times that this renewal script is run, it looks at the existing certificates and decides that there’s nothing to be done yet, then exits.

1 Like

Thank You Seth, I am in fact using certbot and understand now, that daily runs is the way to automate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.