Comment by jabart
2 days ago
Six days? I can't even set the cron job to weekly. Maybe that is the point of this though from being on call I really hate thing restarting every day. Caddy, Nginx, HAProxy, and IIS all seem to handle certs without a full restart. MS SQL Server, nope.
AFAIK, Caddy is the only integrated ACME client that is tuned for short-lived certificates. All its own self-signed certs are already 24-hour certificates, so 6-day certs will be no problem.
Why would that matter? Replacing the cert and sighup'ing nginx or whatever isn't functionally different from doing it in-process.
As someone who has rolled my own cert updates and used Caddy, I much prefer the Caddy way.
1 reply →
Oh, my, yes it is :) (I don't have time to elaborate on this again right now, unfortunately.)
1 reply →
While it wouldn't help currently, I'm sure in time accomodations will be made - for example the acme-client on openbsd will only renew if <30 days from expiration, so it's crond weekly. A client will just need to support custom times, so call it daily and it will renew when 1 or 2 days out to be safe