Renew_before_expiry: how to set globally?


#1

Hi, how do I set renew_before_expiry globally, so that it is applied to each lineage during certbot renew (unless /etc/letsencrypt/renewal/<lineage>.conf specifies explicitly different value)?

I tried to put it into /etc/letsencrypt/renewer.conf, but it did not have any effect (on certbot 0.7.0).

My motivation is I want to have different renewal period globally than the default of every 60 days, and currently I can achieve that only by setting renew_before_expiry in each /etc/letsencrypt/renewal/<lineage>.conf, which is tedious.


#2

I think it is now possible to put it into cli.ini (that is, /etc/letsencrypt/cli.ini); I would expect it to be parsed and honored from there. Could you try that and let us know whether it worked as you expected?


#3

Thanks for the tip, I will try that. I think I tried on 0.7 and it complained something like that renew_before_expiry is an unknown setting to set. So I will try it with 0.8.


#4

@schoen I tried using: certbot-auto renew --config /etc/letsencrypt-testonly/cli.ini

And the result is it showed the usage string of certbot-auto, and then said:
letsencrypt: error: unrecognized arguments: --renew_before_expiry 90 days

I also tried: certbot-auto renew --config-dir /etc/letsencrypt-testonly, and then it did not complain (maybe it did not read the cli.ini at all?), but also did not honor the renew_before_expiry = 90 days in cli.ini, because it said all 3 test certs are not yet due for renewal (even though they were issued approx. a week ago). The renewal/domain.conf files did have their renew_before_expiry setting commented out, so it could not conflict with the attempted global one.

Here is the /etc/letsencrypt-testonly/cli.ini:

agree-tos = True
keep-until-expiring = True
#renew-by-default = True
email = xxx
text = True
authenticator = webroot
webroot-path = xxx

test-cert = True
config-dir = /etc/letsencrypt-testonly
renew_before_expiry = 90 days

So either way, it does not work for me.


#5

Hi @dusek, there is a different naming convention for options given on the command line and options given in configuration files. An option on the command line uses a hyphen (-), like --renew-by-default, while an option in a configuration file uses an underscore (_), like renew_by_default. Could you try editing your configuration files to use underscores instead of hyphens and see if that improves matters?


#6

Or maybe there is a bug where the parser expects everything in cli.ini in particular to have hyphens instead of underscores?


#7

Hi @schoen, thanks for you continued help :slight_smile:

I tried nearly everything: specifying renew-before-expiry instead of renew_before_expiry (please note this is not about renew_by_default to which you referred), I also tried to specify both variants (underscored and dashed) in /etc/letsencrypt-testonly/renewer.conf, again verified renew_before_expiry is commented in each individual domain’s renewal .conf file. The results are:

  • renew_before_expiry in cli.ini always generated the error letsencrypt: error: unrecognized arguments: --renew_before_expiry 90 days, when certbot-auto renew is used with argument --config /etc/letsencrypt-testonly/cli.ini (when using --config-dir /etc/letsencrypt-testonly, it behaves as below cases - no error, but also no effect)
  • renew-before-expiry in cli.ini does not generate any error, but also has no desired effect (i.e. the certs do not renew as they are “not due for renewal yet”)
  • both renew_before_expiry and renew-before-expiry have no error but also no effect in /etc/letsencrypt-testonly/renewer.conf

So I am kind of stuck as to how to make this working. If you think there is no other option for me to try, I can file a bug about non-possibility of specifying renew_before_expiry global default different from the one hardcoded in certbot/constants.py#L42’s RENEWER_DEFAULTS dictionary.


#8

@dusek, I misremembered the nature of the problem. It is apparently covered by issue #2783 and is a known issue that there is no way to change the renewal interval globally.

I thought putting it in cli.ini would work, but the trouble is that renewal defaults are treated separately from CLI defaults (as you’ll see in constants.py), and only the latter can currently be set there. There is no corresponding configuration file parsed by certbot renew right now (but there probably should be!).


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.