How does the automatic renewal work in win-acme? #2691
-
|
Good day, I have a question regarding the automatic renewal. My understanding of the automatic renewal is that if a order is within the due date, win-acme tries to renew the certificate. If it fails the first time it will try the following day and so on. 2024-10-30 02:24:58.212 +01:00 [VRB] Main: previous expires 2024.11.25 Why does win-acme not trigger the renew eventhough the order is within the renewal-period? The current configuration in the settings.json for the renewal is the following: We are using an inhouse CA to enroll certificates. Our certificates are valid for 90 days. So what I want to achive with those settings is that win-acme doesn't renew the certificate until the validity reaches 30 days. So after 60 days win-acme tries to renew the certificate everyday until the enrollment works. In the best case this would be day 60. I appreciate your help. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
|
Have you read the docs at https://www.win-acme.com/reference/settings regarding these settings? I think that should clarify the behaviour that you're seeing. |
Beta Was this translation helpful? Give feedback.
-
|
Yes I have read the documentation of the settings. But interpreting your response correctly I guess my understanding was wrong here. So with my current settings win-acme will try to renew the certificate anywhere between day 60 and 79 (because 11 days minimum) and there is no way of knowing when it will acutally do it? And just to confirm my "new" understanding:
Thanks for the help |
Beta Was this translation helpful? Give feedback.
-
Yes, if you configure a range that means that the actual renewal date will be determined by chance. This is to prevent installations with large numbers of renewals from updating everything at same time. Your new proposed settings will work as you described (though 11 is a bit of an odd choice for the MinDays, but that's a guardrail and it's still further in the future than the the regular renewaldays, so it's not affecting normal operations). |
Beta Was this translation helpful? Give feedback.
-
|
Okay thank you for the feedback! |
Beta Was this translation helpful? Give feedback.
Yes, if you configure a range that means that the actual renewal date will be determined by chance. This is to prevent installations with large numbers of renewals from updating everything at same time.
Your new proposed settings will work as you described (though 11 is a bit of an odd choice for the MinDays, but that's a guardrail and it's still further in the future than the the regular renewaldays, so it's not affecting normal operations).