lego icon indicating copy to clipboard operation
lego copied to clipboard

Published 20 hours ago verified publisher icon go-acme

Support short-lived certificates

Open Seirdy opened this issue 1 year ago • 4 comments

Welcome

  • [X] Yes, I've searched similar issues on GitHub and didn't find any.

How do you use lego?

Binary

Detailed Description

ACME clients like acme.sh support customizing the "notAfter" field of a cert for supported CAs (currently ZeroSSL and Google). This allows users to set validity periods shorter than three months.

When certificate renewal is fully automated, there's no need to use certs with excessively long lifetimes (three months!); we can auto-renew them on a daily basis. Combined with something like a regular OCSP stapling-file renewal, this significantly reduces the impact of issues like a compromised certificate.

Seirdy avatar Sep 12 '22 18:09 Seirdy

Hello,

You can use --days:


   --days value                              The number of days left on a certificate to renew it. (default: 30)

ldez avatar Sep 12 '22 19:09 ldez

@ldez does this change the duration of a certificate's validity, or just customize the duration to wait before triggering an auto-renewal? The docs don't seem to state which. My goal is for certificates to renew and expire quickly.

-- Seirdy (https://seirdy.one)

Seirdy avatar Sep 12 '22 19:09 Seirdy

I think you cannot customize the certificate's duration, I have to check the ACME RFC. The duration depends on your ACME provider.

ldez avatar Sep 12 '22 21:09 ldez

ZeroSSL and Google Trust Services support the "notAfter" flag, which is implemented in the /x/crypto/acme package and acme.sh

Seirdy avatar Sep 13 '22 06:09 Seirdy

Should be easy to implement, I did the following modify then issue a certificate which lifetime is 228 hours.

https://crt.sh/?id=8228501978

diff --git a/acme/api/order.go b/acme/api/order.go
index 7b2a2be7..7967206b 100644
--- a/acme/api/order.go
+++ b/acme/api/order.go
@@ -3,6 +3,7 @@ package api
 import (
        "encoding/base64"
        "errors"
+       "time"

        "github.com/go-acme/lego/v4/acme"
 )
@@ -16,7 +17,9 @@ func (o *OrderService) New(domains []string) (acme.ExtendedOrder, error) {
                identifiers = append(identifiers, acme.Identifier{Type: "dns", Value: domain})
        }

-       orderReq := acme.Order{Identifiers: identifiers}
+       notAfter := time.Now().Add(228*time.Hour).Format(time.RFC3339)
+
+       orderReq := acme.Order{Identifiers: identifiers, NotAfter: notAfter}

        var order acme.Order
        resp, err := o.core.post(o.core.GetDirectory().NewOrderURL, orderReq, &order)

imlonghao avatar Dec 18 '22 10:12 imlonghao