Certificate Renewal with acme.sh cronjob

Help
1

Following the Wiki here one could establish a cron job for the user "acme", which I did using:

acme@mail:~/.acme.sh$ acme.sh --install-cronjob
[Tue Nov 14 02:33:50 PM CET 2023] Using the current script from: /usr/local/share/acme.sh/acme.sh
[Tue Nov 14 02:33:50 PM CET 2023] Installing cron job
no crontab for acme
no crontab for acme

crontab -e:
50 21 * * * /usr/local/share/acme.sh/acme.sh --cron --home "/var/lib/acme/.acme.sh" > /dev/null

From where can I now see when acme.sh will renew?
Is there some way testing when it is due? (dry-run)

2

That cron job will run every day at 21:50 (9:50 PM) local time. If any cert is more than 60 days old at that time, it will try to renew it.

4 Likes
3

OK, minute 50, hour 21, was obvious, and not my question :slight_smile: . From where does acme.sh know to renew after 60days. That was my question. Is it hardwired into acme.sh somewhere?

4

It's coded in as a default, but can be changed with some command-line option if you want. But 60 days is a pretty sensible default for Let's Encrypt's 90-day certs.

6 Likes
5

Ah, thanks.

1 Like
6

And an actual recommendation from Let's Encrypt, to renew after 2/3rds of the certificate lifetime has elapsed.

1 Like
7

My acme.sh is set to 83 days

8

Why on earth would you do that?

4 Likes
9

Renew a week before expiration.

10

Yes, I know what it does. Why? Why would you want to wait that long? Sure, you can. But you're overriding both the client's default and the explicit recommendation of the CA. To what end?

4 Likes
11

All personal home server stuff so i keep it like that

12

Sounds more like a weak expiration to me.

4 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.