[buug] letsencrypt

Sun May 7 21:53:33 PDT 2017

Well, I seem to recall (which may *not* be fully accurate)
... that the default behavior is renewal attempts start at 30 days
before expiration, and continue daily thereafter until successfully
renewed/replaced.  I'm fairly sure that information is in the
various documentation/FAQ(s) or the like - at least that's where I
seem to recall having read it before.

Some bits of what I do (not that I'd at all recommend everyone do
same):
o I use a relatively "manual" "renewal" process ... but that's highly
   aided by a pair of scripts I wrote - so it automates much of the
   process.
o "rewnew" - it needn't explicitly be a renewal, requesting new cert
   for same, is in most ways equivalent ... but I think there's an extra
   option to pass to effectively say yes, that's what I want to do and
   ignore that there are still active matching certs[1]
o I use a dedicated non-privileged ID for most all of the cert request /
   "renew" process - it generates key(s), CSR(s), requests cert(s),
   interacts with ACME, and obtains cert(s).
o If I added an expect layer between some of the (major) "helper"/wrapper
   scripts I use, it would then almost be a push-button fire-and-forget
   operation ... but it's "easy enough" as it is thus far, I've not taken
   it to that point ... yet.
o Thus far I've not entrusted certbot or the like, to itself install
   new/updated cert into web server(s), etc.

Also, probably not a bad idea to wrap some monitoring around certs and
expirations in general.  E.g. if one automates it to renew at 30 days
remaining, probably have it trigger some alarm/notification when days
remaining gets down to 15.

references/excerpts/footnotes:
1. certbot(1) --duplicate - peeked at my script - that's the option

> From: "Ian Zimmerman" <itz at primate.net>
> Subject: Re: [buug] letsencrypt
> Date: Sun, 7 May 2017 19:25:24 -0700

> On 2017-05-07 18:47, Wojciech Adam Koszek wrote:
>
>> You start getting reminders around 2 weeks before the expiration date,
>> so I guess anything closer to expiration should be fine.
>
> I guess I have not been clear enough.
>
> I'm not afraid of running the client too often and being kicked or
> penalized.  I'm afraid of running it too rarely, and missing renewal
> because:
>
> at time _t_ certbot decides it's too far in the future, so doesn't try.
> (so what is "too far" - hence my question)
>
> at time _t+1_ certbot tries, but fails due to random fsckup (which I
> know to be possible).
>
> at time _t+2_ it's too late, cert has expired.
>
> It's a tradeoff - I could run it every minute and I would be very
> confident of eventual success, but that would be wasteful.
>
>> The acme.sh client automatically installs the proper crontab entry for
>> renewals.
>
> I'll take a look, but this seems to be behavior inherently specific to
> the client, plus a human policy decision.
>
> BTW, knowing this I am glad I have not selected acme.sh as the client to
> run :-)