Hi guys, you've helped me get my website in place by pointing me in the right direction time and again.
Quick question:
I used this tutorial...
https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/
...to install an auto-renewal script, but in this tutorial the renewal timer is 90 days, not the suggested 60 days. Can I just edit my renew-certificate.sh script to 60 days, or will this cause problems just 5 days away from my 90 day renewal?
Many thanks in advance!
Although these are BAD instructions, they are NOT defined to run every 90 days:
As I read it, the script will run at exactly midnight once a week MONTH.
Terrible timing; as such exact zeroness can, and has, overwhelmed the system (spiking beyond capacity).
The script itself doesn't control when it is run.
That frequency is driven by the cron job entry (created with crontab -e) that calls it.
@rg305 I don't have experience with Bitnami, but its certificate tool could have some build in delay timer when it's ran non-interactively, just as certbot nowadays has.
@Osiris, the tutorial shows you how to create that script.
I didn't see anything of the kind in their instructions.
The ACME client used is lego and that could have such delay build in. I just don't know.
Yes I have that line in the cron job. But now if I edit the renew-certificate to 60 days will I just cock up my auto renewal in 5 days time as it is now 85 days past (60 days was 25 days ago) and I'll have 90 day expired certs?
That script calls lego @rg305 ..
That's not how that works.
If today is past 60 days it will run now.
Between a stop and start of the web server.
I seriously doubt that includes some extended random wait time in it.
Oh I see, so it's not like a timer, it checks periodically when the certs were created and then checks if 60 or 90 days has passed, if so renews them? So I can literally just edit the renew-certificate.sh and it will go for it?
Usually it will check if the time to expiry is less than the number of days configured. Not equal to. So yes, you should be able to modify that 90 days to 60.
Ah yes, that's true. Would be bad to have your webserver down for hours 
Brilliant thanks guys!
There is no timer in that script.
If there is, please show it.
The timer is the cron line:
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null
[WHICH IS A TERRIBLE TIMER AND SHOULD BE REMOVED FROM THE INTERNET]
Do you have any such line?
Show:
sudo crontab -u root -l
OR just
crontab -l
[if logged in as root user]
Yes I have that line in the cron job
should I perhaps have better timing once the certs renew, so it's more like once a month? What would be a better timing code to run the script?
I agree. If the script or the ACME client doesn't have a random wait period for automatic renewals, it should be added to the cronjob entry.
Twice a day is what is used by certbots timers. The frequency of the cronjob is not the problem: its when on the day it renews (if it renews) which is the problem: if everybody does that on the exact hour (i.e.: xx:00), then the servers of Let's encrypt will see spikes on EVERY exact hour (due to timezones around the world), but not on the other 59 minutes of that hour..
OMG ! ! !
I see it now (it was off the screen to the right):
sudo /opt/bitnami/letsencrypt/lego --tls \
--email="EMAIL-ADDRESS" \
--domains="DOMAIN" \
--path="/opt/bitnami/letsencrypt" \
renew --days 90
[wrapped for visibility]
THAT SHOULD NOT USE 90
I'm pretty sure @SSLisKillingMe already changed that to 60 
As is recommended by Let's Encrypt of course 
Yeah I guessed that as a complete newb to SSL
I did indeed change it to 60 about 30mins ago.
Then started to worry
But the darn instructions are still 90 in the Internet ! ! ! !