aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-06-28 21:33:40 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-28 22:09:50 +0200
commit40a54d2ad35630b1c8a7cd88791db032a7983d4d (patch)
tree12966b4e5a14e81c3c2581437aa01d68201c7bf0
parent80c3a95a95ed268905fa87a398748f94628eed44 (diff)
Change the default 'min-days' from 10 to 21.
This avoids expiration notices from Let's Encrypt when auto-renewal is done by a cronjob: Let's Encrypt sends a notice 19 (then 9) days before expiration.
-rw-r--r--Changelog2
-rw-r--r--config/lacme-certs.conf2
-rwxr-xr-xlacme2
-rw-r--r--lacme.md2
4 files changed, 5 insertions, 3 deletions
diff --git a/Changelog b/Changelog
index fdb0775..0619ffd 100644
--- a/Changelog
+++ b/Changelog
@@ -10,6 +10,8 @@ lacme (0.3) upstream;
without a public HTTP daemon listening on port 80 need to set the
'listen' option to [::] and/or 0.0.0.0, and possibly set the
'iptables' option to Yes.
+ + Change 'min-days' default from 10 to 21, to avoid expiration notices
+ from Let's Encrypt when auto-renewal is done by a cronjob.
- Ensure lacme's config file descriptor is not passed to the accountd
or webserver components.
- new-cert: sort section names if not passed explicitely.
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 12fcd54..97d588a 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -28,7 +28,7 @@
# For an existing certificate, the minimum number of days before its
# expiration date the section is considered for re-issuance.
#
-#min-days = 10
+#min-days = 21
# Path to the issuer's certificate. This is used for certificate-chain
# and to verify the validity of each issued certificate. Specifying an
diff --git a/lacme b/lacme
index fd90d1e..d7a416e 100755
--- a/lacme
+++ b/lacme
@@ -714,7 +714,7 @@ elsif ($COMMAND eq 'new-cert') {
# skip certificates that expire at least $conf->{'min-days'} days in the future
if (-f $conf->{$certtype} and defined (my $t = x509_enddate($conf->{$certtype}))) {
- my $d = $OPTS{'min-days'} // $conf->{'min-days'} // 10;
+ my $d = $OPTS{'min-days'} // $conf->{'min-days'} // 21;
if ($d >= 0 and $t - time > $d*86400) {
my $d = POSIX::strftime('%Y-%m-%d %H:%M:%S UTC', gmtime($t));
print STDERR "[$s] Valid until $d, skipping\n" unless $OPTS{quiet};
diff --git a/lacme.md b/lacme.md
index 94b40cb..4146515 100644
--- a/lacme.md
+++ b/lacme.md
@@ -341,7 +341,7 @@ Valid options are:
expiration date the section is considered for re-issuance.
A negative value forces reissuance, while the number `0` limits
reissuance to expired certificates.
- Default: the value of the CLI option `--min-days`, or `10` if there
+ Default: the value of the CLI option `--min-days`, or `21` if there
is no such option.
*CAfile*