Add CERT_PROFILE support and improve ARI renewal scheduling#607
Conversation
There was a problem hiding this comment.
Thanks for opening this pull request! Be sure to follow the pull request template!
|
While testing this on Unraid, I noticed every container restart was looping into a revoke + reissue cycle when CERT_PROFILE=shortlived was set. The cause is the existing legacy check that tries to detect certs still on the expired DST Root CA X3 cross-sign: I changed it to check for the actual bad chain: This way it does not interfere with the new intermediates that shortlived introduces. |
|
Looking at it again I think this checking for this old le root certificate should just be removed can't imagine anyone is still running with that cert. will add it in this pr for now since it causes issues with the new intermediate certificates from le. |
|
Changed the pull request to better reflect all changes. |
|
removed the old root ca part from the description since it was already removed upstream, |
Add CERT_PROFILE env var for Let's Encrypt cert profiles. Run certbot twice daily via a cron entry with a random delay instead of the previous sed-based cron randomization. Update changelog. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Made requested changes, |
Description:
1. CERT_PROFILE environment variableAdds support for the
CERT_PROFILEenvironment variable, allowing users to request a specific Let's Encrypt certificate profile via certbot'spreferred-profileflag. Supported profiles:classictlsservershortlivedtlsclientZeroSSL does not support ACME profiles and the variable is silently ignored when
2. ARI-aware renewal schedulingCERTPROVIDER=zerossl.Changes certbot renew from once daily to twice daily (
*/12) per the Let's Encrypt Integration Guide recommendation to check ARI at least twice daily.Additionally randomizes the cron minute offset (0–59) on each container start to spread renewal load across instances, and logs the next scheduled check time at startup.
Updates the readme to reflect twice daily cert checks via ARI and removes the outdated reference to Let's Encrypt expiration notification emails which ended in June 2025.
Benefits of this PR and context:
CERT_PROFILE enables users to adopt shorter-lived certificates today. This is directly relevant to the whole SWAG userbase given Let's Encrypt's announced roadmap:
Lays the groundwork for support for ip certificates which requires 6 day certs.Six-Day and IP Address Certificates Available in Certbot
As certificate lifetimes shorten, ARI renewal windows become proportionally narrower. The twice daily cron change is forward-looking — what currently only matters for shortlived users will affect all SWAG users as default lifetimes decrease.
How Has This Been Tested?
Built the Docker image locally on an Unraid server and tested:
CERT_PROFILE=shortlivedin staging and production mode — received a 6-day certificate both times:grep renewalInfo /config/log/letsencrypt/letsencrypt.logsuggestedWindowresponse showing a ~3 hour window set at the cert's halfway point (day 3 of 6)Source / References: