Comment by PunchyHamster
1 day ago
> 6 days means on a long enough enough timeframe the load will end up evenly distributed across a week.
people will put */5 in cron and result will be same, because that's obvious, easy and nice number.
1 day ago
> 6 days means on a long enough enough timeframe the load will end up evenly distributed across a week.
people will put */5 in cron and result will be same, because that's obvious, easy and nice number.
If they put */5 in cron, a single error response will break their site and the beginning of March will also break their site.
and they will replace it with * and just do it every day just in case
Running an update script every day is good. Certbot defaults to running twice a day. Just use something with similar logic, waiting to renew short-lived certificates until halfway through their validity period. That way the actual load is nice and spread out. And you should get that logic by default if you do a normal setup.
I’d expect most will do this. I wouldn’t be surprised if LE expects this.
I'd have it renew Monday and Thursday to avoid weekend outages.
If I would use short-lived certs I would make sure to choose an ACME client that has support for ARI (ACME Renewal Information). Then the CA will tell the client when it’s time to renew.
ACME doesn't renew certificates when there's enough time, so it'll always renew around 6 days, even if you check more aggressively.
Currently ACME sets its cron job to 12 days on 90 day certificates.
Which ACME client are you referring to?