| 14 Dec 2025 |
 Arian | Smallstep implements this and we have a module for it in nixos I think | 17:08:17 |
| 24 Dec 2025 |
 hexa | ok, so shortlived certificates are "6ish days" | 00:17:22 |
| hexa | or exactly 160h | 00:17:25 |
| hexa | specifying the remainder in valid days seems less useful 😄 | 00:17:48 |
| hexa | I'd be fine with less than 72h remaining, ok that's three days | 00:19:06 |
| hexa | but the renew timer should run more often than daily | 00:19:19 |
| hexa | * but now the renew timer should run more often than daily | 00:19:23 |
| hexa | 
Download image.png | 00:40:59 |
| hexa | validMinDays = 3;
renewInterval = "3/6:00:00";
extraLegoRunFlags = [ "--profile=shortlived" ];
extraLegoRenewFlags = [ "--profile=shortlived" ];
| 00:41:26 |
| hexa | oh, I think the profile option was backported | 00:41:39 |
| hexa | * oh, I think the profile option was backported, so that can be shortened to | 00:44:34 |
| hexa | validMinDays = 3;
renewInterval = "3/6:00:00";
profile = "shortlived";
| 00:44:37 |
| 9 Jan 2026 |
|  Tom joined the room. | 01:05:23 |
| Tom | i just noticed the validMinDays=30 default after looking at crt.sh | 01:08:41 |
| Tom | maybe the validMinDays default should be made conditional based upon the profile option? | 01:10:53 |
| Tom | otoh it would be probably better figuring out how to it all based upon a percent remaining value | 01:13:52 |
| Tom | * otoh it would be probably better figuring out how to do it based upon a percent remaining value | 01:15:19 |
| Tom |
For certificates with a validity period under 10 days, we recommend renewing halfway through their total lifetime.
https://letsencrypt.org/docs/integration-guide/#when-to-renew | 12:16:31 |
| 11 Jan 2026 |
|  ivan joined the room. | 01:56:24 |
 Sandro 🐧 | I just read in the lego changelog, that a mail is no longer required. https://github.com/go-acme/lego/releases/tag/v4.31.0
Should we adapt to that? | 09:25:26 |
 leona | LE also doesn't really use the account email anymore: https://letsencrypt.org/2025/06/26/expiration-notification-service-has-ended | 11:06:52 |
| hexa | we hardcode RandomizedDelaySec=24h, which means my 6 hour interval gets stretched by up to 24 hours | 16:05:14 |
| hexa | le sigh | 16:05:31 |
| hexa | NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2026-01-11 18:07:20 UTC 2h 1min Sun 2026-01-11 12:07:29 UTC 3h 58min ago acme-renew-
Sun 2026-01-11 23:11:52 UTC 7h Sun 2026-01-11 11:12:11 UTC 4h 54min ago acme-renew-
Mon 2026-01-12 00:03:44 UTC 7h Sun 2026-01-11 12:03:44 UTC 4h 2min ago acme-renew-
Mon 2026-01-12 01:55:54 UTC 9h Sun 2026-01-11 13:56:24 UTC 2h 9min ago acme-renew-
Mon 2026-01-12 02:24:43 UTC 10h Sun 2026-01-11 02:24:44 UTC 13h ago acme-renew-
| 16:07:25 |
| hexa | [Timer]
AccuracySec=17280s
FixedRandomDelay=true
OnCalendar=3/6:00:00
Persistent=yes
RandomizedDelaySec=24h
| 16:07:40 |
| hexa | so between 6 and 24 hours | 16:08:07 |
| Tom | AFAIK there also is some sort of problem with minica not beeing able to generate placeholder certs for IPv6 addresses. but haven't dug deeper then noticing that there seems to be a a problem in that area | 16:14:55 |
| Tom | ah, the problem might not be minica but how it's beeing used | 16:21:19 |
| Tom | https://github.com/NixOS/nixpkgs/blob/05f7778bc209d5579d5976cc0e7dc02afa21d1e4/nixos/modules/security/acme/default.nix#L390-L393
$ minica --domains 3fff::1
Invalid domain name "3fff::1"
$ minica --ip-addresses 3fff::1
| 16:41:14 |
| Arian | In reply to @hexa:lossy.network
we hardcode RandomizedDelaySec=24h, which means my 6 hour interval gets stretched by up to 24 hours Lol oops | 18:19:52 |
