From 40a54d2ad35630b1c8a7cd88791db032a7983d4d Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 28 Jun 2017 21:33:40 +0200
Subject: Change the default 'min-days' from 10 to 21.

This avoids expiration notices from Let's Encrypt when auto-renewal is
done by a cronjob: Let's Encrypt sends a notice 19 (then 9) days before
expiration.
---
 Changelog               | 2 ++
 config/lacme-certs.conf | 2 +-
 lacme                   | 2 +-
 lacme.md                | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/Changelog b/Changelog
index fdb0775..0619ffd 100644
--- a/Changelog
+++ b/Changelog
@@ -10,6 +10,8 @@ lacme (0.3) upstream;
     without a public HTTP daemon listening on port 80 need to set the
     'listen' option to [::] and/or 0.0.0.0, and possibly set the
     'iptables' option to Yes.
+  + Change 'min-days' default from 10 to 21, to avoid expiration notices
+    from Let's Encrypt when auto-renewal is done by a cronjob.
   - Ensure lacme's config file descriptor is not passed to the accountd
     or webserver components.
   - new-cert: sort section names if not passed explicitely.
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 12fcd54..97d588a 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -28,7 +28,7 @@
 # For an existing certificate, the minimum number of days before its
 # expiration date the section is considered for re-issuance.
 #
-#min-days = 10
+#min-days = 21
 
 # Path to the issuer's certificate.  This is used for certificate-chain
 # and to verify the validity of each issued certificate.  Specifying an
diff --git a/lacme b/lacme
index fd90d1e..d7a416e 100755
--- a/lacme
+++ b/lacme
@@ -714,7 +714,7 @@ elsif ($COMMAND eq 'new-cert') {
 
         # skip certificates that expire at least $conf->{'min-days'} days in the future
         if (-f $conf->{$certtype} and defined (my $t = x509_enddate($conf->{$certtype}))) {
-            my $d = $OPTS{'min-days'} // $conf->{'min-days'} // 10;
+            my $d = $OPTS{'min-days'} // $conf->{'min-days'} // 21;
             if ($d >= 0 and $t - time > $d*86400) {
                 my $d = POSIX::strftime('%Y-%m-%d %H:%M:%S UTC', gmtime($t));
                 print STDERR "[$s] Valid until $d, skipping\n" unless $OPTS{quiet};
diff --git a/lacme.md b/lacme.md
index 94b40cb..4146515 100644
--- a/lacme.md
+++ b/lacme.md
@@ -341,7 +341,7 @@ Valid options are:
     expiration date the section is considered for re-issuance.
     A negative value forces reissuance, while the number `0` limits
     reissuance to expired certificates.
-    Default: the value of the CLI option `--min-days`, or `10` if there
+    Default: the value of the CLI option `--min-days`, or `21` if there
     is no such option.
 
 *CAfile*
-- 
cgit v1.2.3