Certificates not renewing

[casey]

I have rustls-acme managing the certs for ordinals.com, and they aren't being renewed despite the expiration date being a couple weeks away:

$ openssl s_client -servername ordinals.com -connect ordinals.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 23 05:54:45 2022 GMT
notAfter=Nov 21 05:54:44 2022 GMT

On restart, the logs display the following:

Nov 09 16:34:14 ordinals.com ord[1386831]: [2022-11-09T16:34:14Z INFO  ord::subcommand::server] ACME event: DeployedCachedCert

Am I understanding the output correctly? And is there anything I need to do to get the certs to renew?

[FlorianUekermann]

As long as your system clock is correct and you keep polling on the Incoming or AcmeState you should be good. Polling renews certs in a indefinitely, but whenever a new cert was acquired or loaded from cache, the renewal loop pauses (returns Pending) until half of the duration between now and the expiry of the cert passed.

Given that you restarted on the 9th and the cert is valid until the 21st, it should renew some time around the 15th.

Calculating the time like this instead of setting a fixed safety margin avoids spamming renewals if certs are valid for a shorter time than the fixed safety margin. If you would like to renew at a fixed time before expiry, I could add a config flag for that.

[casey]

I think there are a couple downsides to the current approach, if I understand it correctly:

• If the server is often restarted, then the amount of time remaining on the certificate can get very low. If, for example, the server is restarted daily, then if I understand correctly, the time remaining on the certificate would get down to 48 hours, which isn't much time to react in case there's a problem with renewing.

• Let's Encrypt sends out certificate renewal reminder emails when certificates have 20 days of validity remaining, so if the server is restarted even pretty infrequently, users will wind up getting renewal reminder emails.

The emails say the following:

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

This seems like a pretty good recommendation, i.e. renew based not on a fixed safety margin, or depending on how often the server is restarted, but upon a % of the lifetime of the cert elapsing. I think the Let's Encrypt default of renewing when 1/3 of the cert's lifetime seems reasonable, and will also have the benefit of avoiding renewal reminder emails.

[FlorianUekermann]

Yes, you understood correctly and I agree with all of your points and recommendation. I'll switch to the 1/3 of the cert lifetime rule. I'm travelling until Monday, so I may push the change, but won't publish a new release until I've had a chance to test it at home.