[buug] letsencrypt

Ian Zimmerman itz at primate.net
Sun May 7 19:25:24 PDT 2017


On 2017-05-07 18:47, Wojciech Adam Koszek wrote:

> You start getting reminders around 2 weeks before the expiration date,
> so I guess anything closer to expiration should be fine.

I guess I have not been clear enough.

I'm not afraid of running the client too often and being kicked or
penalized.  I'm afraid of running it too rarely, and missing renewal
because:

at time _t_ certbot decides it's too far in the future, so doesn't try.
(so what is "too far" - hence my question)

at time _t+1_ certbot tries, but fails due to random fsckup (which I
know to be possible).

at time _t+2_ it's too late, cert has expired.

It's a tradeoff - I could run it every minute and I would be very
confident of eventual success, but that would be wasteful.

> The acme.sh client automatically installs the proper crontab entry for
> renewals.

I'll take a look, but this seems to be behavior inherently specific to
the client, plus a human policy decision.

BTW, knowing this I am glad I have not selected acme.sh as the client to
run :-)

-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign:
http://primate.net/~itz/blog/the-problem-with-gpg-signatures.html


More information about the buug mailing list