Warning Level - SSL certificate

jonash

Is it possible to adjust the warning levels of an SSL certificate?

For example, I would like to be warned only 1 month before expiry

johnny

Not currently, It might makes sense to change it globally on ssl certs as their expire date can be a lot shorter especially if using lets encrypt

wrongecho

I think it makes sense to move from 90 day alerts to 45 days. As it stands currently, LE should have renewed by 45 days and it's still just enough time to get a paid SSL renewed (mostly).

LE are actually exploring moving to SIX day expirations, which I think is insane: https://letsencrypt.org/2024/12/11/eoy-letter-2024/

Alan

We've got multiple LE certs that haven't expired by 30 days (right now we have one that expires on 7th Feb that hasn't renewed yet).

Being able to adjust, or set a default then adjust after would be the best, as we have regular annual certs that we want notification at say, 30 days, and then LE, which we don't need to know about until a max of 14 days before renewal (plenty of time to do something if needed, maybe even less) as we're just getting a bunch of excess notifications that we're not doing anything with.

6 days is just stupid, aka, they want them all and stuff regular certs. Yes it should be automated, but there are many systems where it simply isn't an option…

jonash

Alan

I agree here.

Everyone has different preferences and processing times. Everyone needs a different lead time.

I would like to have a setting to generally display the time for certificates

wrongecho

I would prefer to avoid even more customisation, especially as granular as per certificate. I think this is something we can fix through good defaults, or at least better defaults.

wrongecho

So this doesn't get forgotten: https://tasks.dev.itflow.org/task_details.php?task_id=55

Alan

Just a note that LetsEncrypt is now discontinuing expiration emails: https://letsencrypt.org/2025/01/22/ending-expiration-emails/ making the likes if ITFlow more important for tracking them…

wrongecho

Alan Yeah I've been looking into this and am still uncertain how we reach a happy medium.

Did your LE certificate due to expire on the 7th renew yet? 😉

Alan

Haha, yes fortunately! 😃 The oldest LE cert that hasn't renewed yet now expires on the 24th.

wrongecho

Hello again,

Haven't had much further feedback on this. Johnny has already introduced a change into develop that changes certificate notifications to 1, 7 and 45 days. I've raised a PR that excludes LE certificates from the 45-day notifications, so you'll get notified at 7 days and 1 day before expiry for those - in my experience this is still enough notice to fix whatever broke certbot.

We can monitor feedback on this and adjust accordingly.

Alan

Configurable is ideal (even LE vs others), simply because some people need more time than 7 days to get their A into G for the bigger wildcard certs etc because they're going into multiple services. LE, yeah, 7 days is probably fine.

wrongecho

@Alan / @jonash Are you on the latest release yet? If so, how are you finding this change?

Alan

Haven't updated yet, on the to-do list this week (if everyone would just bugger off and leave me alone for a minute) 😃

(Also waiting for the dust to settle on the previous update issues)

pecceg2

Hi! Another person here is having the same issue, but with a different provider.

We use Google Trust Services and CloudFlare as SSL certificate providers for our sites. Unfortunately, we keep receiving the 45-day alert, as they typically renew certificates within 20-30 days.

Is there a way to add Google Trust Services to this "blacklist" via configuration or environment variables?

Thank you very much!

wrongecho

pecceg2 Hello. Are you running the latest release? The change was not scoped only to LE certs by issuer, but based on the certificate validity period being less than 90 days.