| 9 Jan 2026 |
 Tom |
For certificates with a validity period under 10 days, we recommend renewing halfway through their total lifetime.
https://letsencrypt.org/docs/integration-guide/#when-to-renew | 12:16:31 |
| 11 Jan 2026 |
|  ivan joined the room. | 01:56:24 |
 Sandro 🐧 | I just read in the lego changelog, that a mail is no longer required. https://github.com/go-acme/lego/releases/tag/v4.31.0
Should we adapt to that? | 09:25:26 |
 leona | LE also doesn't really use the account email anymore: https://letsencrypt.org/2025/06/26/expiration-notification-service-has-ended | 11:06:52 |
 hexa | we hardcode RandomizedDelaySec=24h, which means my 6 hour interval gets stretched by up to 24 hours | 16:05:14 |
| hexa | le sigh | 16:05:31 |
| hexa | NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2026-01-11 18:07:20 UTC 2h 1min Sun 2026-01-11 12:07:29 UTC 3h 58min ago acme-renew-
Sun 2026-01-11 23:11:52 UTC 7h Sun 2026-01-11 11:12:11 UTC 4h 54min ago acme-renew-
Mon 2026-01-12 00:03:44 UTC 7h Sun 2026-01-11 12:03:44 UTC 4h 2min ago acme-renew-
Mon 2026-01-12 01:55:54 UTC 9h Sun 2026-01-11 13:56:24 UTC 2h 9min ago acme-renew-
Mon 2026-01-12 02:24:43 UTC 10h Sun 2026-01-11 02:24:44 UTC 13h ago acme-renew-
| 16:07:25 |
| hexa | [Timer]
AccuracySec=17280s
FixedRandomDelay=true
OnCalendar=3/6:00:00
Persistent=yes
RandomizedDelaySec=24h
| 16:07:40 |
| hexa | so between 6 and 24 hours | 16:08:07 |
| Tom | AFAIK there also is some sort of problem with minica not beeing able to generate placeholder certs for IPv6 addresses. but haven't dug deeper then noticing that there seems to be a a problem in that area | 16:14:55 |
| Tom | ah, the problem might not be minica but how it's beeing used | 16:21:19 |
| Tom | https://github.com/NixOS/nixpkgs/blob/05f7778bc209d5579d5976cc0e7dc02afa21d1e4/nixos/modules/security/acme/default.nix#L390-L393
$ minica --domains 3fff::1
Invalid domain name "3fff::1"
$ minica --ip-addresses 3fff::1
| 16:41:14 |
 Arian | In reply to @hexa:lossy.network
we hardcode RandomizedDelaySec=24h, which means my 6 hour interval gets stretched by up to 24 hours Lol oops | 18:19:52 |
| 12 Jan 2026 |
| hexa | OPTIONS:
--days value The number of days left on a certificate to renew it. (default: 30)
--dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5. (default: false)
| 00:38:09 |
| Tom | --dynamic as the new default if validMinDays isn't set? | 00:40:56 |
| hexa | wip | 00:42:42 |
| hexa | Redacted or Malformed Event | 00:46:44 |
| hexa | emily: imo skipping based on the remaining time can't work with ari | 00:56:58 |
| hexa | but we already renew "silently" and that should trigger ari based renewals | 00:57:43 |
| hexa | and if we default to --dynamic we have nothing to compare against in the is_expiration_skippable function | 00:59:49 |
| hexa | but we could try to replicate the logic used in lego when to pick 1/3 and 1/2 of the remainder | 01:00:24 |
| hexa | and then determine the total duration from the certificate | 01:01:04 |
| hexa | * and then determine the total duration from the certificate instead | 01:01:08 |
| hexa | yeah, implemented … I think | 01:18:32 |
 emily | I was just thinking we could run it much more often with no randomization if it's getting an ARI time from the CA | 01:28:59 |
| emily | because then the CA does its own load balancing across renewal times | 01:29:15 |
| emily | I implemented the skew back before ARI was a thing | 01:29:47 |
| hexa | https://github.com/NixOS/nixpkgs/pull/479209 | 01:50:33 |
| hexa | I wish we could do something similar for the timer intervall | 01:51:24 |
| Tom | is there that much harm in just runniung it more often as the new default? | 01:53:10 |
