Is it possible to adjust the warning levels of an SSL certificate?

For example, I would like to be warned only 1 month before expiry

Not currently, It might makes sense to change it globally on ssl certs as their expire date can be a lot shorter especially if using lets encrypt

I think it makes sense to move from 90 day alerts to 45 days. As it stands currently, LE should have renewed by 45 days and it's still just enough time to get a paid SSL renewed (mostly).

LE are actually exploring moving to SIX day expirations, which I think is insane: https://letsencrypt.org/2024/12/11/eoy-letter-2024/

We've got multiple LE certs that haven't expired by 30 days (right now we have one that expires on 7th Feb that hasn't renewed yet).

Being able to adjust, or set a default then adjust after would be the best, as we have regular annual certs that we want notification at say, 30 days, and then LE, which we don't need to know about until a max of 14 days before renewal (plenty of time to do something if needed, maybe even less) as we're just getting a bunch of excess notifications that we're not doing anything with.

6 days is just stupid, aka, they want them all and stuff regular certs. Yes it should be automated, but there are many systems where it simply isn't an option…

    I would prefer to avoid even more customisation, especially as granular as per certificate. I think this is something we can fix through good defaults, or at least better defaults.

    Alan

    I agree here.

    Everyone has different preferences and processing times. Everyone needs a different lead time.

    I would like to have a setting to generally display the time for certificates

    14 days later
    7 days later

    Alan Yeah I've been looking into this and am still uncertain how we reach a happy medium.

    Did your LE certificate due to expire on the 7th renew yet? 😉

    4 days later

    Haha, yes fortunately! 😃 The oldest LE cert that hasn't renewed yet now expires on the 24th.

    a month later

    Hello again,

    Haven't had much further feedback on this. Johnny has already introduced a change into develop that changes certificate notifications to 1, 7 and 45 days. I've raised a PR that excludes LE certificates from the 45-day notifications, so you'll get notified at 7 days and 1 day before expiry for those - in my experience this is still enough notice to fix whatever broke certbot.

    We can monitor feedback on this and adjust accordingly.

    Configurable is ideal (even LE vs others), simply because some people need more time than 7 days to get their A into G for the bigger wildcard certs etc because they're going into multiple services. LE, yeah, 7 days is probably fine.

    15 days later