Only renew certificate if expires within 30 days

[q3k]

This is a quick hack to not hammer the LE API and thus not hit the weekly limit, if, for instance, your container keeps restarting.

The openssl incantation will only check the certificate expiration time, and not whether it is valid (ie. checking against the system CA store) - implementing that is left as an exercise to the reader.

We also make the renew check happen every day, instead of every 60 days, now that we can afford it.

This fixes #13 .

[umputun]

interesting idea. I'll play with this a little bit, but looks very promising.

[umputun]

this will reload nginx every day. not sure how smart nginx handles reloads but I think it will be safer to add status code of le.run and skip reload if != 0

[q3k]

From my experience this should not be a problem at all. The documentation also says:

Configuration reload
Start the new worker processes with a new configuration
Gracefully shutdown the old worker processes

So this shouldn't kill any active connections.

[paskal]

What will happen if service.conf changed to something broken from syntax point of view? E.g. I'm editing file right now and nginx think it's time to reload?
With old behavior it happens once in two months, now it could happen every day.

[q3k]

nginx will keep running the old config file if reload is triggered while the current config is invalid.

Also, why would you be editing the file on production, anyway? :)

[umputun]

I tend to agree with @paskal - unneeded reloads are better to be avoided. We don't know how users manage they servers. If someone is brave enough to do it directly - fine with me, do whatever you want with your own server :) I think we should just eliminate daily reloads and perform it only in case of certs update/generation.