Renewal window not capped at 30 days #382
Comments
|
Well that's...rather embarrassing. You're absolutely right. Thanks a ton, @lookcloser. I'll get it fixed shortly. |
|
Fix is now in main. I may not push a new release until next week though. I also wrote a little fix-it script you can use in the mean time that will adjust the renewal windows of your existing orders. Throw this in a file called something like #Requires -Modules Posh-ACME
[CmdletBinding()]
param()
Get-PAOrder -List | ForEach-Object {
# skip orders without a cert
if (-not ($cert = $_ | Get-PACertificate)) { return }
# calculate the appropriate RenewAfter value
$notBefore = $cert.NotBefore.ToUniversalTime()
$notAfter = $cert.NotAfter.ToUniversalTime()
$lifetime = $notAfter - $notBefore
$renewHours = [Math]::Min(720, ($lifetime.TotalHours / 3))
$renewAfter = $notAfter.AddHours(-$renewHours).ToString('yyyy-MM-ddTHH:mm:ssZ', [Globalization.CultureInfo]::InvariantCulture)
# grab the order JSON
$orderFile = Join-Path $_.Folder 'order.json'
$orderRaw = Get-Content $orderFile -Raw | ConvertFrom-Json
# un-DateTime'ify the RenewAfter value if we're in PS Core
if ($orderRaw.RenewAfter -is [DateTime]) {
$orderRaw.RenewAfter = $orderRaw.RenewAfter.ToString('yyyy-MM-ddTHH:mm:ssZ', [Globalization.CultureInfo]::InvariantCulture)
}
# save the updated value if the existing value is different
if ($orderRaw.RenewAfter -ne $renewAfter) {
Write-Verbose "Fixing renewal window $($_.RenewAfter) -> $renewAfter for order '$($_.Name)'"
$orderRaw.RenewAfter = $renewAfter
$orderRaw | ConvertTo-Json -Depth 10 | Out-File $orderFile -Force
}
}
Import-Module -Name Posh-ACME -ForceThen run it like this: .\Update-RenewalWindows.ps1 -Verbose |
|
Thanks for fixing the bug and writing the script. I think the script needs to have the following line added after the Write-Verbose line: $orderRaw.RenewAfter = $renewAfter Otherwise the $orderRaw object will never be updated with the corrected renewal date and the incorrect renewal date will just get written to the file again. I added this line to my local copy of the script and it seems to be working fine after doing this. Thanks. |
|
Whoops. Yes, you're correct about the script tweak. Modified the comment. Thanks! |
|
The fix is now live in v4.9.0 |
I've noticed that all of our orders for certificates with a 1 year lifespan have their RenewAfter date set to 4 months before the CertExpires date.
Based on the comments starting at line 59 of https://github.com/rmbolger/Posh-ACME/blob/main/Posh-ACME/Public/Complete-PAOrder.ps1, I believe that the RenewAfter date should never be earlier than 30 days before the CertExpires date.
I think this is happening because line 65 of this file should be calling [Math]::Min rather than [Math]::Max.
Thanks.
The text was updated successfully, but these errors were encountered: