diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2017-06-28 21:33:40 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2017-06-28 22:09:50 +0200 |
commit | 40a54d2ad35630b1c8a7cd88791db032a7983d4d (patch) | |
tree | 12966b4e5a14e81c3c2581437aa01d68201c7bf0 | |
parent | 80c3a95a95ed268905fa87a398748f94628eed44 (diff) |
Change the default 'min-days' from 10 to 21.
This avoids expiration notices from Let's Encrypt when auto-renewal is
done by a cronjob: Let's Encrypt sends a notice 19 (then 9) days before
expiration.
-rw-r--r-- | Changelog | 2 | ||||
-rw-r--r-- | config/lacme-certs.conf | 2 | ||||
-rwxr-xr-x | lacme | 2 | ||||
-rw-r--r-- | lacme.md | 2 |
4 files changed, 5 insertions, 3 deletions
@@ -10,6 +10,8 @@ lacme (0.3) upstream; without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. + + Change 'min-days' default from 10 to 21, to avoid expiration notices + from Let's Encrypt when auto-renewal is done by a cronjob. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 12fcd54..97d588a 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -28,7 +28,7 @@ # For an existing certificate, the minimum number of days before its # expiration date the section is considered for re-issuance. # -#min-days = 10 +#min-days = 21 # Path to the issuer's certificate. This is used for certificate-chain # and to verify the validity of each issued certificate. Specifying an @@ -714,7 +714,7 @@ elsif ($COMMAND eq 'new-cert') { # skip certificates that expire at least $conf->{'min-days'} days in the future if (-f $conf->{$certtype} and defined (my $t = x509_enddate($conf->{$certtype}))) { - my $d = $OPTS{'min-days'} // $conf->{'min-days'} // 10; + my $d = $OPTS{'min-days'} // $conf->{'min-days'} // 21; if ($d >= 0 and $t - time > $d*86400) { my $d = POSIX::strftime('%Y-%m-%d %H:%M:%S UTC', gmtime($t)); print STDERR "[$s] Valid until $d, skipping\n" unless $OPTS{quiet}; @@ -341,7 +341,7 @@ Valid options are: expiration date the section is considered for re-issuance. A negative value forces reissuance, while the number `0` limits reissuance to expired certificates. - Default: the value of the CLI option `--min-days`, or `10` if there + Default: the value of the CLI option `--min-days`, or `21` if there is no such option. *CAfile* |