Early renewal with autocert

andybalholm · January 26, 2022, 5:03am

I use the golang.org/x/crypto/acme/autocert package to renew my certificates. It's completely automatic. How can I make it renew them early?

jillian · January 26, 2022, 5:46am

It looks like you will need to update the Manager struct to change the value of renewBefore. Other more proficient go developers can provide more information than myself on what other actions you may need to take.

mjl · January 26, 2022, 7:33am

Certificates are stored in the file system. You could remove those and, and I would restart the application. New certificates will be fetched.

The basic use of autocert is through NewListener, which says: Certificates are cached in a "golang-autocert" directory under an operating system-specific cache or temp directory. See autocert package - golang.org/x/crypto/acme/autocert - pkg.go.dev. See "cacheDir()" at https://cs.opensource.google/go/x/crypto/+/5e0467b6:acme/autocert/listener.go;l=137 for the per-OS location. If your code is using a autocert.Manager explicitly, a different directory or different certificate store entirely may be used. Keep in mind your application may be using an older version of autocert, it may have different behaviour (I don't know).

andybalholm · January 26, 2022, 5:31pm

Deleting the contents of /var/autocert and restarting the server worked for me.

FiloSottile · January 26, 2022, 5:54pm

Deleting the whole cache will cause a new account to be registered, which might hit rate limits. Instead, you can delete all its contents except for the acme_account+key file.

We are working on an update to autocert to make the renewal happen automatically. I will update this thread when that's ready.

FiloSottile · January 27, 2022, 10:18am

We (the Go team) published a new version of autocert that will automatically renew potentially affected certificates. See the announcement below for instructions.

https://groups.google.com/g/golang-announce/c/NCaUuUkdUIk/m/_ISqmyh1AAAJ

andybalholm · January 27, 2022, 2:49pm

I see that the fix is using a hard-coded date. It would be ideal if Let's Encrypt would have an API endpoint that clients could check for future issues, and deal with them without a client software upgrade…

(I know I'm spoiled. I've gotten used to my TLS certificates just working without any attention from me at all.)

jillian · January 27, 2022, 3:49pm

Let's Encrypt is working on an implementation of ACME Automatic Renewal Information (ARI). A first draft is merged in our boulder code base and available in staging to begin testing. The /directory endpoint shows the renewalInfo resource for a given certificate.

system · February 26, 2022, 3:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with golang autocert Help	8	2092	November 26, 2018
Searching for the way to renew Help	3	1241	September 2, 2016
Cant renew certificate, problem with connecting to acme-staging Issuance Tech	12	4803	December 30, 2016
How to auto renew letsencrypt certificate on Ubuntu+Apache Help	2	830	February 6, 2021
ACMEClient update Help	9	661	February 17, 2019

Early renewal with autocert

Related topics