Is it possible to adjust the warning levels of an SSL certificate?
For example, I would like to be warned only 1 month before expiry
Is it possible to adjust the warning levels of an SSL certificate?
For example, I would like to be warned only 1 month before expiry
Not currently, It might makes sense to change it globally on ssl certs as their expire date can be a lot shorter especially if using lets encrypt
I think it makes sense to move from 90 day alerts to 45 days. As it stands currently, LE should have renewed by 45 days and it's still just enough time to get a paid SSL renewed (mostly).
LE are actually exploring moving to SIX day expirations, which I think is insane: https://letsencrypt.org/2024/12/11/eoy-letter-2024/
We've got multiple LE certs that haven't expired by 30 days (right now we have one that expires on 7th Feb that hasn't renewed yet).
Being able to adjust, or set a default then adjust after would be the best, as we have regular annual certs that we want notification at say, 30 days, and then LE, which we don't need to know about until a max of 14 days before renewal (plenty of time to do something if needed, maybe even less) as we're just getting a bunch of excess notifications that we're not doing anything with.
6 days is just stupid, aka, they want them all and stuff regular certs. Yes it should be automated, but there are many systems where it simply isn't an option…
I would prefer to avoid even more customisation, especially as granular as per certificate. I think this is something we can fix through good defaults, or at least better defaults.
So this doesn't get forgotten: https://tasks.dev.itflow.org/task_details.php?task_id=55
Just a note that LetsEncrypt is now discontinuing expiration emails: https://letsencrypt.org/2025/01/22/ending-expiration-emails/ making the likes if ITFlow more important for tracking them…
Haha, yes fortunately! The oldest LE cert that hasn't renewed yet now expires on the 24th.
Hello again,
Haven't had much further feedback on this. Johnny has already introduced a change into develop that changes certificate notifications to 1, 7 and 45 days. I've raised a PR that excludes LE certificates from the 45-day notifications, so you'll get notified at 7 days and 1 day before expiry for those - in my experience this is still enough notice to fix whatever broke certbot.
We can monitor feedback on this and adjust accordingly.
Configurable is ideal (even LE vs others), simply because some people need more time than 7 days to get their A into G for the bigger wildcard certs etc because they're going into multiple services. LE, yeah, 7 days is probably fine.