lego
lego copied to clipboard
Support short-lived certificates
Welcome
- [X] Yes, I've searched similar issues on GitHub and didn't find any.
How do you use lego?
Binary
Detailed Description
ACME clients like acme.sh support customizing the "notAfter" field of a cert for supported CAs (currently ZeroSSL and Google). This allows users to set validity periods shorter than three months.
When certificate renewal is fully automated, there's no need to use certs with excessively long lifetimes (three months!); we can auto-renew them on a daily basis. Combined with something like a regular OCSP stapling-file renewal, this significantly reduces the impact of issues like a compromised certificate.
Hello,
You can use --days
:
--days value The number of days left on a certificate to renew it. (default: 30)
@ldez does this change the duration of a certificate's validity, or just customize the duration to wait before triggering an auto-renewal? The docs don't seem to state which. My goal is for certificates to renew and expire quickly.
-- Seirdy (https://seirdy.one)
I think you cannot customize the certificate's duration, I have to check the ACME RFC. The duration depends on your ACME provider.
ZeroSSL and Google Trust Services support the "notAfter" flag, which is implemented in the /x/crypto/acme package and acme.sh
Should be easy to implement, I did the following modify then issue a certificate which lifetime is 228 hours.
https://crt.sh/?id=8228501978
diff --git a/acme/api/order.go b/acme/api/order.go
index 7b2a2be7..7967206b 100644
--- a/acme/api/order.go
+++ b/acme/api/order.go
@@ -3,6 +3,7 @@ package api
import (
"encoding/base64"
"errors"
+ "time"
"github.com/go-acme/lego/v4/acme"
)
@@ -16,7 +17,9 @@ func (o *OrderService) New(domains []string) (acme.ExtendedOrder, error) {
identifiers = append(identifiers, acme.Identifier{Type: "dns", Value: domain})
}
- orderReq := acme.Order{Identifiers: identifiers}
+ notAfter := time.Now().Add(228*time.Hour).Format(time.RFC3339)
+
+ orderReq := acme.Order{Identifiers: identifiers, NotAfter: notAfter}
var order acme.Order
resp, err := o.core.post(o.core.GetDirectory().NewOrderURL, orderReq, &order)