Decrease certificate renewal interval duration
strarsis opened this issue · 3 comments
- I've read the guidelines for Contributing to Roots Projects
- This request isn't a duplicate of an existing request
- This is not a personal support request that should be posted on the Roots Discourse community
Summary
I often get Let's Encrypt certificate expiry notifications. In order to avoid these notifications, the Trellis certificate renewal interval duration needs to be decreased, so renewal/renewal check happens before Let's Encrypt deems the remaining certificate duration as a reason to emit an expiry notification.
Motivation
Let's Encrypt webmaster notifications are nice. However, it would be nice if these certificate expiry notifications could be avoided by renewing the certificates in Trellis earlier than being done now.
Additional context
roots.io forum discussion: https://discourse.roots.io/t/lets-encrypt-expiry-notification-certificate-renewal-interval/19518
It's set to 60 days right now:
which is what Let's Encrypt recommends.🤔 If you get expiry notices then doesn't that mean an extra 10 days went by without it renewing? 60 days gives a 10 day buffer of things going wrong before the notices right?
@swalkinshaw: Hm, with stock settings, I receive these certificate expiration notifications quite frequently for all the sites:
Notification e-mail I got from Let's Encrypt 12.05.2021 (6 days ago):
From: Let's Encrypt Expiry Bot [expiry@letsencrypt.org]
To: webmaster@[...]
Sent: Mi 12.05.2021 [...]
Subject: Let's Encrypt certificate expiration notice for domain "[...]" (and [...] more)
---
Hello,
Your certificate (or certificates) for the names listed below will expire in 19 days (on 01 Jun 21 15:36 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
[... list of site TLDs ...]
For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.
For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
[... unsubscribe stuff ...]
Regards,
The Let's Encrypt Team
So 9 days are left for renewal and this seems to trigger the Let's Encrypt certificate expiration notification.
I installed Trellis on a new system and had no actual expired certificates yet, so renewal happens in time.
Sorry forgot about this. I'm wondering if your system logs might explain anything. Maybe enough failures happen that it occasionally ends up going under that 10 day period? Otherwise, I'm kind of stumped.
You could try decreasing letsencrypt_min_renewal_age to 50 and see if it helps. But otherwise I'm considering this working correctly so I'll close the issue.