Consider to use openssl -enddate to determine certificate renewal

[rzech]

The default renew delay used by acme.sh is 60 days. This makes absolutely sense for 90-day certificates issued by LE. But amce.sh also supports other RFC-8555 compliant CAs. For eg. Sectigo issues 1-year certificates through ACME. In this case I think 60 days is not really appropriate. I know that one can set the delay (Le_RenewalDays) in each domain-conf but my idea would be to use openssl -enddate to determine the expiration date of a successful issued certificate and then substract the amount of days the certificate should be renewed earlier (eg. expiredate - 30 days).

I already run my own bash script as --post-hook to achieve this (I can provide the code if needed), but I think it could be a nice feature to have acme.sh support this out of the box...

[neilpang]

show me your code.

[rzech]

My little bash-script takes the path to the acme.sh domain config file as parameter. Then it uses openssl to get the expiration date of the certificate, calculates the new renew date and replaces the old date in the config file.

An certificate issue would now look like this:
acme.sh --issue -d <domainname> --dns dns_nsupdate --post-hook "<path2script>/calc_renewal.sh <cert-home>/<domainname>/<domainname>.conf"

There are probably smarter ways to achive the same, but I didn't want to change any code in acme.sh and for me it does the trick.

Script: calc_renewal.txt (only tested on CentOS Linux release 8.3.2011)

[fmiqbal]

@rzech that code works well, thanks

anyway, any update on the PR ?

[lukastribus]

#4457 was merged, you can now specify days until expiration by using negative days:

# ../acme.sh.orig | grep ndays -A1
  --days <ndays>                    Specifies the days to renew the cert when using '--issue' command. The default value is 30 days.
                                      Negative values could be used to specify a number of days relative to the expiration date of the certificate.
#