I had a cert-manager in my kubernetes cluster running and when I set period as 2016h (84 days) and renewBefore as 672h (28 days) in my certificate.yaml for letsencrypt-prod clusterIssuer, its not working. It's been set as hard limit as 90 days for expiry and renewal as 30 days before.
Could someone please help here whether it's possible to use the custom renewal period for my certificates?
is it issue at Lets Encrypt side or at my cert-manager configuration?
It's 100% a cert-manager question. The duration of the cert is from Let's Encrypt (and is 90 days), but when to renew is a matter of your client configuration. I don't know why you'd want to change it, but it would nonetheless be up to your client.
Thanks for quick response. Does that mean Lets Encrypt support the cert expiry duration from 90 days to 84 days? and renewBefore from 30 days to 28 days?
I want to change the default values of duration and renewBefore fields for a specific requirement. We wanted to have our application certificates renew only on a Sunday. I thought If we make duration as 84d and renewBefore as 28d, with the initial certificate created on a Sunday 23:59 UTC, then next renewals always be done on a Sunday, this will work for next 24 renewals based on 1hr being reduced for every renewal by lets encrypt to avoid clock-skew issues.
I know this requirement can be achieved using custom cronjob script with cert-manager kubectl plugin but we would like to explore the other ways.
The lifetime of current Let's Encrypt certificates is fixed on 90 days. Nothing more, nothing less, nothing with regard to 84.
Let's Encrypt certificates can be "renewed" (which is technically just getting a brand new cert with the same hostname contents as a previously issued certificate) any time you want (rate limits apply), but Let's Encrypt recommends renewing at 2/3rds of the cert lifetime, i.e. 30 days left till expiry for the current 90 days certs.
This "renewBefore" is not something related to Let's Encrypt, but with cert-manager, which is not part of Let's Encrypt.
Understood, we don't have control on the validity period.
Thankyou for the clarification!
Correct. The only free publicly trusted CA that offers variable certificate lifetimes using ACME is Google. See ACME CA Comparison - Posh-ACME for a comparison of (free) ACME CAs. Note that I believe this free Google CA comes with some requirements (I think you need to be a Google Cloud customer? Although I guess Google Cloud offers some free tier stuff, not sure if that's enough to get certificates).
It is.