ARI - Run cron job more frequently by sim0n-v · Pull Request #6939 · acmesh-official/acme.sh

sim0n-v · 2026-05-03T14:40:44Z

With ACME Renewal Info (RFC9773 §4.3), fetching renewal window should be more frequent, e.g. in case of revocation incident.

For instance, a server that needs to revoke certificates within 24 hours of notification of a problem might choose to reserve twelve hours for investigation, six hours for clients to fetch updated RenewalInfo objects, and six hours for clients to perform a renewal.

This PR makes the cron job run every 6 hours (nb: the cron job is not modified during acme.sh upgrades).

More flexible option is to run the cron job even more frequently (e.g. each hour) and store the time at which fetching ARI should be made (using the Retry-After header).

neilpang · 2026-05-06T18:08:53Z

why not just $_random_minutes */6 * * * ?

sim0n-v · 2026-05-06T20:23:37Z

I guess $random_minute */6 * * * is the same as $random_minute 0/6 * * *: every clients will request ARI the same hour, and the CA may overload on 0,6,12,18 hours.

Much better if this is randomized across each hour.

As per RFC9773 §4.3:

During the lifetime of a certificate, the renewal information needs to be fetched frequently enough that clients learn about changes in the suggested window quickly, but without overwhelming the server.

With ACME Renewal Info (RFC9773 §4.3), fetching renewal window should be more frequent, e.g. in case of revocation incident. "For instance, a server that needs to revoke certificates within 24 hours of notification of a problem might choose to reserve twelve hours for investigation, six hours for clients to fetch updated RenewalInfo objects, and six hours for clients to perform a renewal." More flexible option is to run the cron job every hour and only refresh ARI when the last one + Retry-After header is in the past.

Copilot

Pull request overview

Adjusts the installed cron schedule to run more frequently (every 6 hours) to better support ACME Renewal Info (ARI) refresh cadence during incident/revocation scenarios.

Changes:

Change the randomized hour selection to a 6-hour bucket (% 6) instead of daily (% 24).
Install a single cron entry that runs 4 times/day at 6-hour intervals (hour list h,h+6,h+12,h+18).

  _t=$(_time)
  random_minute=$(_math $_t % 60)
-  random_hour=$(_math $_t / 60 % 24)
+  random_hour=$(_math $_t / 60 % 6)


    $_CRONTAB -l 2>/dev/null | {
      cat
-      echo "$random_minute $random_hour * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
+      echo "$random_minute $random_hour,$(_math $random_hour + 6),$(_math $random_hour + 12),$(_math $random_hour + 18) * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"


Add support for randomized hour and update frequency Ref: * [/mo](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create#to-schedule-a-task-to-run-every-n-hours) * [/SC HOURLY](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create#parameters)

Copilot

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

  _password="$(__read_password)"
  #SCHTASKS.exe '/create' '/SC' 'DAILY' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "00:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'" >/dev/null
-  echo SCHTASKS.exe '/create' '/SC' 'DAILY' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "00:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "\"$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'\"" | cmd.exe >/dev/null
+  echo SCHTASKS.exe '/create' '/SC' 'HOURLY' '/MO' '6' '/TN' "$_WINDOWS_SCHEDULER_NAME" '/F' '/ST' "0$_randomhour:$_randomminute" '/RU' "$_myname" '/RP' "$_password" '/TR' "\"$_winbash -l -c '$_lesh --cron --home \"$LE_WORKING_DIR\" $_centry'\"" | cmd.exe >/dev/null
  echo


neilpang force-pushed the dev branch from 395ca36 to eaf4b62 Compare May 6, 2026 18:51

sim0n-v added 3 commits May 6, 2026 22:27

Fix cron job schedule for certificate renewal

647c733

Fix random_hour syntax in cron job installation

086fbf9

neilpang force-pushed the patch-1 branch from d2f55ae to 086fbf9 Compare May 6, 2026 20:27

neilpang requested a review from Copilot May 6, 2026 20:27

Copilot started reviewing on behalf of neilpang May 6, 2026 20:28 View session

Copilot AI reviewed May 6, 2026

View reviewed changes

neilpang requested a review from Copilot May 7, 2026 06:58

Copilot started reviewing on behalf of neilpang May 7, 2026 06:58 View session

Copilot AI reviewed May 7, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ARI - Run cron job more frequently#6939

ARI - Run cron job more frequently#6939
sim0n-v wants to merge 4 commits intoacmesh-official:devfrom
sim0n-v:patch-1

sim0n-v commented May 3, 2026

Uh oh!

neilpang commented May 6, 2026

Uh oh!

sim0n-v commented May 6, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

sim0n-v commented May 3, 2026

Uh oh!

neilpang commented May 6, 2026

Uh oh!

sim0n-v commented May 6, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants