Google Git
Sign in
go / crypto / 0242f07995e684be54f2a2776327141acf1cef91^! / .
commit0242f07995e684be54f2a2776327141acf1cef91[log] [tgz]
authorAlex Vaghin <ddos@google.com>Wed Mar 22 10:33:23 2017 +0100
committerAlex Vaghin <ddos@google.com>Thu Apr 20 16:35:13 2017 +0000
treedca21404f57dda7c1f42256400e56259eb1f9d9e
parent91492a32430c88e1dd9c977684f7bea5712636cc [diff]
acme/autocert: extend default value of RenewBefore

This change amends the default renewal to 30 days before cert expiration,
as recommended by various guides and the official LE documentation:
https://letsencrypt.readthedocs.io/en/latest/using.html#renewal

Fixes golang/go#19616.

Change-Id: I9cfadff936871794e2938304e9e5ab1b0e0353d6
Reviewed-on: https://go-review.googlesource.com/38358
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index 7e388ff..ce2f647 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go

@@ -112,7 +112,7 @@
 	// RenewBefore optionally specifies how early certificates should
 	// be renewed before they expire.
 	//
-	// If zero, they're renewed 1 week before expiration.
+	// If zero, they're renewed 30 days before expiration.
 	RenewBefore time.Duration
 
 	// Client is used to perform low-level operations, such as account registration
@@ -631,10 +631,10 @@
 }
 
 func (m *Manager) renewBefore() time.Duration {
-	if m.RenewBefore > maxRandRenew {
+	if m.RenewBefore > renewJitter {
 		return m.RenewBefore
 	}
-	return 7 * 24 * time.Hour // 1 week
+	return 720 * time.Hour // 30 days
 }
 
 // certState is ready when its mutex is unlocked for reading.

diff --git a/acme/autocert/renewal.go b/acme/autocert/renewal.go
index 14ac905..6c5da2b 100644
--- a/acme/autocert/renewal.go
+++ b/acme/autocert/renewal.go

@@ -11,8 +11,8 @@
 	"time"
 )
 
-// maxRandRenew is a maximum deviation from Manager.RenewBefore.
-const maxRandRenew = time.Hour
+// renewJitter is the maximum deviation from Manager.RenewBefore.
+const renewJitter = time.Hour
 
 // domainRenewal tracks the state used by the periodic timers
 // renewing a single domain's cert.
@@ -64,7 +64,7 @@
 	// TODO: rotate dr.key at some point?
 	next, err := dr.do(ctx)
 	if err != nil {
-		next = maxRandRenew / 2
+		next = renewJitter / 2
 		next += time.Duration(pseudoRand.int63n(int64(next)))
 	}
 	dr.timer = time.AfterFunc(next, dr.renew)
@@ -84,7 +84,7 @@
 	// but we try nonetheless
 	if tlscert, err := dr.m.cacheGet(ctx, dr.domain); err == nil {
 		next := dr.next(tlscert.Leaf.NotAfter)
-		if next > dr.m.renewBefore()+maxRandRenew {
+		if next > dr.m.renewBefore()+renewJitter {
 			return next, nil
 		}
 	}
@@ -113,7 +113,7 @@
 func (dr *domainRenewal) next(expiry time.Time) time.Duration {
 	d := expiry.Sub(timeNow()) - dr.m.renewBefore()
 	// add a bit of randomness to renew deadline
-	n := pseudoRand.int63n(int64(maxRandRenew))
+	n := pseudoRand.int63n(int64(renewJitter))
 	d -= time.Duration(n)
 	if d < 0 {
 		return 0

diff --git a/acme/autocert/renewal_test.go b/acme/autocert/renewal_test.go
index 87474b6..f232619 100644
--- a/acme/autocert/renewal_test.go
+++ b/acme/autocert/renewal_test.go

@@ -32,7 +32,7 @@
 		expiry   time.Time
 		min, max time.Duration
 	}{
-		{now.Add(90 * 24 * time.Hour), 83*24*time.Hour - maxRandRenew, 83 * 24 * time.Hour},
+		{now.Add(90 * 24 * time.Hour), 83*24*time.Hour - renewJitter, 83 * 24 * time.Hour},
 		{now.Add(time.Hour), 0, 1},
 		{now, 0, 1},
 		{now.Add(-time.Hour), 0, 1},