[GH-ISSUE #198] Renew own certificate schedule #90

New issue

Open

opened 2026-03-13 15:44:41 +03:00 by kerem · 4 comments

kerem commented

2026-03-13 15:44:41 +03:00

Owner

Originally created by @icelava on GitHub (Nov 19, 2019).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/198

When does acme-dns decide to renew its own certificate (for its REST web site)?

Yesterday we had our other web server (with Certbot) renew one of its certs since it had less than 30 days to expiry. The process used the dns-01 challenge via acme-dns. But acme-dns per se, still appears to be using the original cert that will expire in less than a month's time.

Originally created by @icelava on GitHub (Nov 19, 2019). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/198 When does acme-dns decide to renew its own certificate (for its REST web site)? Yesterday we had our other web server (with Certbot) renew one of its certs since it had less than 30 days to expiry. The process used the _dns-01_ challenge via acme-dns. But acme-dns per se, still appears to be using the original cert that will expire in less than a month's time.

kerem commented

2026-03-13 15:44:47 +03:00

Author

Owner

@icelava commented on GitHub (Nov 21, 2019):

Alright, looks like it has finally renewed the cert some time last evening. Still no idea what sort of schedule it operates with.

@icelava commented on GitHub (Nov 21, 2019): Alright, looks like it has finally renewed the cert some time last evening. Still no idea what sort of schedule it operates with.

kerem commented

2026-03-13 15:44:52 +03:00

Author

Owner

@cpu commented on GitHub (Nov 21, 2019):

@icelava What version of acme-dns are you running? Since v0.8 acme-dns has used certmagic to handle renewing its API certificate. It currently uses the default times configured by that library. If I understand correctly, v0.8+ will:

Check certificates to see if they need to be renewed every 12hrs: github.com/mholt/certmagic@c52848a21d/maintain.go (L434-L435)
Renew any certificate with <30 days lifetime remaining:
github.com/mholt/certmagic@c52848a21d/maintain.go (L437-L438)

@cpu commented on GitHub (Nov 21, 2019): @icelava What version of acme-dns are you running? Since v0.8 `acme-dns` has used `certmagic` to handle renewing its API certificate. It currently uses the default times configured by that library. If I understand correctly, v0.8+ will: * Check certificates to see if they need to be renewed every 12hrs: https://github.com/mholt/certmagic/blob/c52848a21de3ee6c328330589fa6b66cd214e42f/maintain.go#L434-L435 * Renew any certificate with <30 days lifetime remaining: https://github.com/mholt/certmagic/blob/c52848a21de3ee6c328330589fa6b66cd214e42f/maintain.go#L437-L438

kerem commented

2026-03-13 15:44:57 +03:00

Author

Owner

@icelava commented on GitHub (Nov 25, 2019):

I'm not sure how to check version in the actual server? :-/

Going by the release dates, we installed acme-dns back in September, so that's likely v0.7.2 since v0.8 came around October.

Going by the observed behaviour, it took way more than 12 hours (restarted server on 19 Nov, renewed on 21 Nov) for it to finally renew its certificate.

@icelava commented on GitHub (Nov 25, 2019): I'm not sure how to check version in the actual server? :-/ Going by the release dates, we installed acme-dns back in September, so that's likely v0.7.2 since v0.8 came around October. Going by the observed behaviour, it took way more than 12 hours (restarted server on 19 Nov, renewed on 21 Nov) for it to finally renew its certificate.

kerem commented

2026-03-13 15:45:02 +03:00

Author

Owner

@leggewie commented on GitHub (Jan 17, 2022):

@icelava Can this ticket be closed?

@leggewie commented on GitHub (Jan 17, 2022): @icelava Can this ticket be closed?