Certbot: How is the renewal time calculated?


#1

The lego client has an option to define the renewal time:
–days value : The number of days left on a certificate to renew it.

I couldn’t find something similar for Certbot.

Questions:

  • Hasn’t Certbot such an option?
  • How is the renewal time calculated?
  • What happens when the certificate has a lifetime of one year (365 days)?

Background:
I want to use Certbot in a private environment.
The certificates are not provided by letsencrypt.
The certificate lifetime is 1-4 years.


#2

I believe you are looking for renew_before_expiry (default value is 30 days).

So if your certificate has a lifetime of 4 years (1460 days), I think Certbot would begin trying to renew at 1430 days into its validity period.


#3

Thanks for the answer.

Is the Certbot setting (‘renew_before_expiry’: ‘30 days’) hardcoded? Or in other words: If I want to change the setting (eg. ‘renew_before_expiry’: ‘146 days’), I have to recompile the source code. Right?


#4

You can definitely set it in the renewal parameters files (in /etc/letsencrypt/renewal).

Whether it is exposed on the CLI as --renew-before-expiry, I don’t know - probably not.


#5

Thanks for the clarification. I have looked into the docs and have it tried out. There is no CLI option “–renew-before-expiry” or “–renew_before_expiry”. The parameter has to be uncommented and manually set in the renewal configuration file:

sudo cat /etc/letsencrypt/renewal/freizeitkarte-osm.de.conf
# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/freizeitkarte-osm.de

Hmm, peculiar … has nobody (except me) the requirement to set this value during issuing or renewal?


#6

I’m the person who originally implemented this and you’re the first person I’ve heard ask about a command line option to set it! I think this is because relatively few users want to change the renewal interval.

Right now a workaround might be to create a deploy-hook script that edits the renewal configuration file with sed -i or something.

I opened an issue for this

and I think we’ll eventually do it but I’m afraid it may not be a very high priority (unless someone from our community contributes a fix).


#7

Thanks for opening the issue / feature request.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.