Hi, We're using certbot against Sectigo's ACME service successfully. We recently switched to 30 day certificates to get ahead of the curve. We can successfully renew certificates just fine via cron jobs, but we've noticed that certbot has been renewing certificates daily. In a world of 90 day certificates, setting the renewal day to 30 makes sense, but we're nearing a world where 30 day certificates might be closer to the norm.
So my question:
Is there a configuration option OR CLI flag to adjust the number of days certbot will consider a certificate "valid". IE: We'd like to look at 15 days instead of 30.
It might also be worth considering looking at a valid timespan based on the certificate's original timespan. IE: Plan on renewing a certificate when it has 1/3 of its valid span left or 30 days (which ever is shorter). This would allow certbot to automatically adjust for shorter certificates.
We're currently using certbot 2.11.0. If I've missed mention of such a feature in the docs, I apologize.
I don't know if there's a CLI flag for this, but you can set the renew_before_expiry option in your renewal config file (/etc/letsencrypt/renewal/yourdomain.conf).
Caddy does this, but I'm not aware of any other client that does.
They've had an issue open for a few years about having certbot handle shorter-duration certificates better. So I think they know they need to do something, but they're taking their time on it.
Certbot is good for what its intention is, of just adding to a standalone server to get it enabled for HTTPS. But if you're looking for more than that, there are a lot of value in other clients that are designed for more advanced and enterprise use cases.
Unfortunately, the Certbot team is rather small and doesn't have much time for the project Although it's kinda weird the issue was opened almost 3 years ago and these kind of 'breaking changes' (e.g., just use some min(30, max(1, lifetime / 3)) math) could "easily" have been included in the major release 3.0.0 methinks..
Although it's kinda weird the issue was opened almost 3 years ago and these kind of 'breaking changes' (e.g., just use some