| 12 Jan 2026 |
 hexa | OPTIONS:
--days value The number of days left on a certificate to renew it. (default: 30)
--dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5. (default: false)
| 00:38:09 |
 Tom | --dynamic as the new default if validMinDays isn't set? | 00:40:56 |
| hexa | wip | 00:42:42 |
| hexa | Redacted or Malformed Event | 00:46:44 |
| hexa | emily: imo skipping based on the remaining time can't work with ari | 00:56:58 |
| hexa | but we already renew "silently" and that should trigger ari based renewals | 00:57:43 |
| hexa | and if we default to --dynamic we have nothing to compare against in the is_expiration_skippable function | 00:59:49 |
| hexa | but we could try to replicate the logic used in lego when to pick 1/3 and 1/2 of the remainder | 01:00:24 |
| hexa | and then determine the total duration from the certificate | 01:01:04 |
| hexa | * and then determine the total duration from the certificate instead | 01:01:08 |
| hexa | yeah, implemented … I think | 01:18:32 |
 emily | I was just thinking we could run it much more often with no randomization if it's getting an ARI time from the CA | 01:28:59 |
| emily | because then the CA does its own load balancing across renewal times | 01:29:15 |
| emily | I implemented the skew back before ARI was a thing | 01:29:47 |
| hexa | https://github.com/NixOS/nixpkgs/pull/479209 | 01:50:33 |
| hexa | I wish we could do something similar for the timer intervall | 01:51:24 |
| Tom | is there that much harm in just runniung it more often as the new default? | 01:53:10 |
| Tom | * is there that much harm in just running it more often as the new default? | 01:53:40 |
| hexa | we're a multiplier, so yes it matters | 01:56:59 |
| Tom | from my understanding the check on whether to proceed with the renewal is done locally. So it would "only" affect local resources from my understanding? | 02:04:35 |
| hexa | Redacted or Malformed Event | 02:05:05 |
| hexa | * only while above validMinDays | 02:05:10 |
| hexa | * we only fail if above valid min days | 02:05:24 |
| hexa | Redacted or Malformed Event | 02:05:28 |
| hexa | we run renew always, but only fail if below validMinDays | 02:06:02 |
| hexa | if is_expiration_skippable out/full.pem; then
echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
else
# High number to avoid Systemd reserved codes.
exit 11
| 02:06:31 |
| hexa | that's this logic | 02:06:33 |
| hexa | * if ! lego ${renewOpts} --days ${toString data.validMinDays}; then
if is_expiration_skippable out/full.pem; then
echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
else
# High number to avoid Systemd reserved codes.
exit 11
| 02:06:46 |
| Tom | ah, okay | 02:07:36 |
| hexa | Tom: feel free to test https://github.com/NixOS/nixpkgs/pull/479212 | 02:12:04 |
