[buug] letsencrypt

Ian Zimmerman itz at primate.net
Sun May 7 19:25:24 PDT 2017

On 2017-05-07 18:47, Wojciech Adam Koszek wrote:

> You start getting reminders around 2 weeks before the expiration date,
> so I guess anything closer to expiration should be fine.

I guess I have not been clear enough.

I'm not afraid of running the client too often and being kicked or
penalized.  I'm afraid of running it too rarely, and missing renewal

at time _t_ certbot decides it's too far in the future, so doesn't try.
(so what is "too far" - hence my question)

at time _t+1_ certbot tries, but fails due to random fsckup (which I
know to be possible).

at time _t+2_ it's too late, cert has expired.

It's a tradeoff - I could run it every minute and I would be very
confident of eventual success, but that would be wasteful.

> The acme.sh client automatically installs the proper crontab entry for
> renewals.

I'll take a look, but this seems to be behavior inherently specific to
the client, plus a human policy decision.

BTW, knowing this I am glad I have not selected acme.sh as the client to
run :-)

Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign:

More information about the buug mailing list