Early renewal with autocert

I use the golang.org/x/crypto/acme/autocert package to renew my certificates. It's completely automatic. How can I make it renew them early?


It looks like you will need to update the Manager struct to change the value of renewBefore. Other more proficient go developers can provide more information than myself on what other actions you may need to take.


Certificates are stored in the file system. You could remove those and, and I would restart the application. New certificates will be fetched.

The basic use of autocert is through NewListener, which says: Certificates are cached in a "golang-autocert" directory under an operating system-specific cache or temp directory. See autocert package - golang.org/x/crypto/acme/autocert - pkg.go.dev. See "cacheDir()" at https://cs.opensource.google/go/x/crypto/+/5e0467b6:acme/autocert/listener.go;l=137 for the per-OS location. If your code is using a autocert.Manager explicitly, a different directory or different certificate store entirely may be used. Keep in mind your application may be using an older version of autocert, it may have different behaviour (I don't know).


Deleting the contents of /var/autocert and restarting the server worked for me.

Deleting the whole cache will cause a new account to be registered, which might hit rate limits. Instead, you can delete all its contents except for the acme_account+key file.

We are working on an update to autocert to make the renewal happen automatically. I will update this thread when that's ready.


We (the Go team) published a new version of autocert that will automatically renew potentially affected certificates. See the announcement below for instructions.



I see that the fix is using a hard-coded date. It would be ideal if Let's Encrypt would have an API endpoint that clients could check for future issues, and deal with them without a client software upgradeā€¦

(I know I'm spoiled. I've gotten used to my TLS certificates just working without any attention from me at all.)

Let's Encrypt is working on an implementation of ACME Automatic Renewal Information (ARI). A first draft is merged in our boulder code base and available in staging to begin testing. The /directory endpoint shows the renewalInfo resource for a given certificate.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.