Finetune the SSL expiration alert period
under review
Arnaud Lapiere
Right now, Let's Encrypt certificate expiration alert is sent 14 days, 7 days, 1 day before.
I have a certbot that renews it 5 days before.
So every month, I receive alerts 14 days and 7 days for all domains,
which are perfectly normal. Hence, some 'alert noise' that I don't take into account anymore...
Suggestion:
Let us select a custom period for SSL expiration dates.
I think globally, with 2 different settings: one for "standard" certificate, the other for 'let's encrypt' certificates.
--> only alert when worth alerting :)
--> smarter monitoring
Log In
Adrien Rey-Jarthon
Hello,
Actually 14, 7, 1 is already the special schedule for let's encrypt certificates. This is automatically detected by updown.io so you don't have to, normal 1-year certificates get an additional 30 days reminder.
The threshold for let's encrypt certs starts at 14 days because the default renew delay is 30 days before expiration: https://certbot.eff.org/docs/using.html. This can be down to 23 days with a weekly cron for example (pretty common) so that's why we chose 14 days, so you have plenty of time to renew but still have time to investigate and fix any potential auto-renew issues.
If you'd rather renew your cert only 5 days before expiration that's up to you but we won't recommend or support this configuration as we consider it dangerous ☺
I'll mark this suggestion as "Under Review" to measure the need for this.
📆
This response was made on 2021-11-22 (the comment date is wrong)
Adrien Rey-Jarthon
@Cilex when is OVH renewing?
Cilex
Same here - using provider OVH, and we can't define when they'll renew the certificate.
Hoder Jensen
It's also a feature, we would like to see implemented, as we have webhosts (running cPanel, but that might just be their choice and nothing to do with cPanel default config) that renew the certificate as late as the day before, but we also have older systems we monitor, where certificate renewal can't be automated, and a new certificate is installed manually as close as a week before expiry because of planning and to avoid downtime.
So per-check customization would be really nice, but until that it is possible, maybe an option to turn off globally on the account could be a "quick fix. Eg. we would disable 14 day warning, so it would be 30, 7 and 1 on normal certificates, and 7 and 1 on lets encrypt/zero ssl certificates. It would mean, we still would get warnings each 3 months on the few "weird" webhost's we have, but that's doable, until per-check customization is possible ;)
Connect-ed Media
Upvote, my hosting provider seems to renew on 14 days before expiry. So i get unneeded mails on the 14 days treshold too.
Adam Gibbins
Hello,
I'm a user of Netlify's service for hosting static sites, they provide LetsEncrypt certificates however they don't appear to be renewed until ~10 days before expiry. I have no control over this, so I get notifications from updown.io when 14 days remain every time. It'd be nice to be able to tune this.
I can only assume they're doing this as they're operating at large scale so this delayed renewal significantly reduces load, so it's not likely they'll alter it to align with LE recommendations.