Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: acme-client(8): Adapt renewal calculation for shortlived certificates.
To:
tech <tech@openbsd.org>
Date:
Thu, 18 Sep 2025 13:20:55 +0100

Download raw body.

Thread 
On 2025/09/16 17:31, Florian Obser wrote:
> If the lifetime is more than 10 days, renew if less than 1/3 of the
> lifetime is left. Otherwise renew after 1/2 of the remaining lifetime.

This has what I think is a nice side-effect. Buypass are no longer
issuing certificates; they were setting validity to 180 days, so this
change means renewal of those is attempted at 60 rather than 30 days.
As long as you see acme-client's error codes, this gives you an extra
30 days to fix your config.

> Since we suggest to run the cronjob daily, this is capped at 3 days
> remaining lifetime to have the opportunity to run the cronjob at least
> twice.
> 
> I would like to commit this as soon as the tree unlocks again after
> 7.8. OK?

needs this or similar. otherwise one nit below and it's ok with me.

fwiw I don't think this adds risk - it's just parsing an additional
field in exactly the same way as one that we already parse, and
calculations are simple.

As far as I'm concerned, committing before release would also be ok,
and maybe preferable given the buypass situation.


Index: acme-client.1
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
diff -u -p -r1.42 acme-client.1
--- acme-client.1	16 May 2023 09:02:50 -0000	1.42
+++ acme-client.1	18 Sep 2025 12:08:37 -0000
@@ -40,9 +40,12 @@ The certificates are typically used to p
 but can be used in any situation where domain name validation is required
 (such as mail servers).
 .Pp
-If the certificate already exists and is less than 30 days from expiry,
+If the certificate already exists and is close to expiry,
 .Nm
 attempts to renew the certificate.
+For certificates with a lifetime of more than 10 days, this is done when
+less than a third of the lifetime remains.
+Otherwise, renewal is done when half the lifetime has expired.
 .Pp
 In order to prove that the client has access to the domain,
 a challenge is issued by the signing authority.
@@ -67,8 +70,7 @@ location "/.well-known/acme-challenge/*"
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl F
-Force certificate renewal, even if it has more than 30 days
-validity.
+Force certificate renewal, regardless of remaining lifetime.
 .It Fl f Ar configfile
 Specify an alternative configuration file.
 .It Fl n

> diff --git revokeproc.c revokeproc.c
...
> +	/* We suggest to run renewals daily. Make sure we have 2 chances. */
> +	if (renew_allow < 3 * 24 * 60 *60)
> +		renew_allow = 3 * 24 * 60 *60;

nit: "60 *60" -> "60 * 60"

otherwise ok