--keep-until-renewal vs --renew-by-default


#1

For using in automated cronjob based ssl cert renewals which would be a better option --keep-until-renewal or --renew-by-default ?

for --keep-until-renewal is that literally keep until day of expiry or there’s preset number of days before expiry ?

@jcjones :slight_smile:


Https://letsencrypt.org/howitworks/ typo
#2

The default for --keep-until-expiring (I’m assuming you mean that one) is to renew 30 days before expiration. --renew-by-default will always issue a new certificate.

The main advantage of using --keep-until-expiring is that you can simply run the cron daily and it will handle the “renew after 60 days” recommendation for you (without having to add your own checks or more complicated cron rules).

Additionally, it’s going to be more resilient to run a daily cronjob in case of intermittent errors as opposed to running it once every 30, 60 or 90 days. If something goes wrong on day 60 since your last renewal due to e.g. an outage, it’s likely it will work on the next day or at least at some point before the certificate expires.


#3

actually i did mean --keep-until-renewal but now there’s another to decide on --keep-until-expiring :slightly_smiling:

when is --keep-until-renewal used ?


#4

Where did you find that switch? cli.py doesn’t know it: https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/cli.py


#5

https://letsencrypt.org/howitworks/#writing-your-own-renewal-script I think.


#6

Ah, well, perhaps the documentation is outdated or wasn’t correct in the first place, because --keep is a synonym for --keep-until-expiring:

https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/cli.py#L973

Hmm, as far as I can tell, it’s always been --keep-until-expiring:


#7

yeah got --keep-until-renewal from https://letsencrypt.org/howitworks/#writing-your-own-renewal-script so that’s why i asked as can’t find any reference to it anywhere :slightly_smiling: