Skip to content

Add 30 day certificatesDuration step #10970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
traefiker merged 3 commits into from
Aug 8, 2024
Merged

Add 30 day certificatesDuration step #10970

traefiker merged 3 commits into from
Aug 8, 2024

Conversation

@luker983
Copy link
Contributor

@luker983 luker983 commented Aug 4, 2024

What does this PR do?

Adds a new certificatesDuration threshold, setting renew period and renew interval to 10 days and 12 hours respectively when 30 days <= certificatesDuration < 90 days.

Motivation

There is a large gap between the 7 and 90 day certificatesDuration thresholds that has made Traefik difficult to adopt in environments that issue certificates with lifetimes shorter than 90 days.

With the current thresholds, 7-30 day cert lifetimes must either renew daily (straining the ACME CA), or only on the day before expiry (leaving little time to resolve an issue if renewal fails)

More

  • Added/updated tests
  • Added/updated documentation

Additional Notes

Ideally the renewal values would be directly configurable as they are in most ACME clients, but I understand the desire for a simpler config. If maintainers are up for opening that discussion again I would prefer to go that route 😄

@rtribotte rtribotte self-assigned this Aug 5, 2024
@rtribotte
Copy link
Member

rtribotte commented Aug 5, 2024

Hello @luker983,

Thanks for opening this pull request!

We have marked thus as a need-design because we suspect it may introduce a breaking change for some users.
Since no issue was opened beforehand to discuss the possibility of such a change, we would welcome any feedback from the community.

@rtribotte
Copy link
Member

rtribotte commented Aug 6, 2024
edited
Loading

After a second though, I moved it to `needs-review' because I actually think this is a good enhancement, that modifies the renewal mechanism, but in a way that should be harmless and beneficial.

@rtribotte rtribotte removed their assignment Aug 6, 2024
rtribotte
rtribotte approved these changes Aug 6, 2024
View reviewed changes
Copy link
Member

@rtribotte rtribotte left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@kevinpollet kevinpollet added this to the next milestone Aug 8, 2024
kevinpollet
kevinpollet approved these changes Aug 8, 2024
View reviewed changes
Copy link
Member

@kevinpollet kevinpollet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@traefiker traefiker merged commit 7807937 into traefik:master Aug 8, 2024
@luker983 luker983 deleted the add-cert-duration-level branch August 13, 2024 04:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevinpollet kevinpollet kevinpollet approved these changes

@rtribotte rtribotte rtribotte approved these changes

Assignees

No one assigned

Labels

area/acme kind/enhancement a new or improved feature. size/S

Projects

None yet

Milestone

3.2

Development

Successfully merging this pull request may close these issues.

4 participants

@luker983 @rtribotte @kevinpollet @traefiker