How to set expiration date *within the allowed date range*?

Hi everyone,

My question is similar to How to set expiration date?, except I'm not asking for 3+ months validity.

Instead, I consider calculating and setting the expiration date to the closest, say, Wednesday midday before the latest possible expiration date. This way if the automatic renewal fails, which has (rarely) happened, we have a higher chance of actually noticing the expired certificate, as opposed to if it stops working at 3:00 on a Saturday night.

(Alternatively, if the certbot already has some --expire-weekday flag, that would be perfect :slight_smile: )

3 Likes

Welcome to the Let's Encrypt Community, Alex :slightly_smiling_face:

You can't control the expiration date, but nothing stops you from "pretending" it expires sooner by say looking outward 8 weeks (56 days) instead of 60 or 90 days.

2 Likes

Sounds like you just need to sign up for some free cert monitoring and alerting.

1 Like

Hi @mehov

if that happens, something goes wrong.

Certificate created -> you know the expiration date, you can calculate it. And you can create a job (with local rights, no external monitoring required) to check, if the certificate renew has worked.

That's all you need.

1 Like

I suppose if you only run your renewal process at mid-day on Thursdays, your certificates will always expire mid-day Wednesdays. Usually certbot is designed to run every day to see if it needs to renew certificates, but I think it'd work if you only ran it on Thursdays. Then you're in more trouble if there is a problem, though, if it won't try again until the next Thursday. Maybe there's some other ACME client you could use that has more intelligence around scheduling, where it tries to target certain renewal dates but handles and alerts on failures more, though I don't know of anything offhand that has that out-of-the-box.

Really the problem you're trying to solve here is monitoring and alerting around your renewal process, which whether it's a simple cron job like Certbot uses or something more complicated than that, you want to confirm that your certificates aren't about to expire. If they're publicly accessible sites, then yes there are free services out there that can alert you if your certificate is about to expire. Internal-only sites are a bit trickier but I suspect there are open source monitoring solutions out there. And regardless, if there's an issue with certificate creation (as opposed to if certificate creation worked but installation on your web server didn't) then Let's Encrypt will even email you at 20 days remaining. But if you're worried about what happens at 0 days remaining, then really you need to have better alerting well before then. Getting that 20 days remaining email unexpectedly should be treated as much as an "emergency" as the cert actually expiring, since it means that both the renewal process failed as well as the alerting process that should have been monitoring the expiration failed.

Though sometimes a low-tech solution of putting a reminder in your calendar every 8½ weeks to confirm that the renewal worked can give one some additional piece of mind, too, though it's no replacement for actual monitoring.

3 Likes