acme/autocert: extend default value of RenewBefore
This change amends the default renewal to 30 days before cert expiration,
as recommended by various guides and the official LE documentation:
https://letsencrypt.readthedocs.io/en/latest/using.html#renewal
Fixes golang/go#19616.
Change-Id: I9cfadff936871794e2938304e9e5ab1b0e0353d6
Reviewed-on: https://go-review.googlesource.com/38358
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index 7e388ff..ce2f647 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go
@@ -112,7 +112,7 @@
// RenewBefore optionally specifies how early certificates should
// be renewed before they expire.
//
- // If zero, they're renewed 1 week before expiration.
+ // If zero, they're renewed 30 days before expiration.
RenewBefore time.Duration
// Client is used to perform low-level operations, such as account registration
@@ -631,10 +631,10 @@
}
func (m *Manager) renewBefore() time.Duration {
- if m.RenewBefore > maxRandRenew {
+ if m.RenewBefore > renewJitter {
return m.RenewBefore
}
- return 7 * 24 * time.Hour // 1 week
+ return 720 * time.Hour // 30 days
}
// certState is ready when its mutex is unlocked for reading.
diff --git a/acme/autocert/renewal.go b/acme/autocert/renewal.go
index 14ac905..6c5da2b 100644
--- a/acme/autocert/renewal.go
+++ b/acme/autocert/renewal.go
@@ -11,8 +11,8 @@
"time"
)
-// maxRandRenew is a maximum deviation from Manager.RenewBefore.
-const maxRandRenew = time.Hour
+// renewJitter is the maximum deviation from Manager.RenewBefore.
+const renewJitter = time.Hour
// domainRenewal tracks the state used by the periodic timers
// renewing a single domain's cert.
@@ -64,7 +64,7 @@
// TODO: rotate dr.key at some point?
next, err := dr.do(ctx)
if err != nil {
- next = maxRandRenew / 2
+ next = renewJitter / 2
next += time.Duration(pseudoRand.int63n(int64(next)))
}
dr.timer = time.AfterFunc(next, dr.renew)
@@ -84,7 +84,7 @@
// but we try nonetheless
if tlscert, err := dr.m.cacheGet(ctx, dr.domain); err == nil {
next := dr.next(tlscert.Leaf.NotAfter)
- if next > dr.m.renewBefore()+maxRandRenew {
+ if next > dr.m.renewBefore()+renewJitter {
return next, nil
}
}
@@ -113,7 +113,7 @@
func (dr *domainRenewal) next(expiry time.Time) time.Duration {
d := expiry.Sub(timeNow()) - dr.m.renewBefore()
// add a bit of randomness to renew deadline
- n := pseudoRand.int63n(int64(maxRandRenew))
+ n := pseudoRand.int63n(int64(renewJitter))
d -= time.Duration(n)
if d < 0 {
return 0
diff --git a/acme/autocert/renewal_test.go b/acme/autocert/renewal_test.go
index 87474b6..f232619 100644
--- a/acme/autocert/renewal_test.go
+++ b/acme/autocert/renewal_test.go
@@ -32,7 +32,7 @@
expiry time.Time
min, max time.Duration
}{
- {now.Add(90 * 24 * time.Hour), 83*24*time.Hour - maxRandRenew, 83 * 24 * time.Hour},
+ {now.Add(90 * 24 * time.Hour), 83*24*time.Hour - renewJitter, 83 * 24 * time.Hour},
{now.Add(time.Hour), 0, 1},
{now, 0, 1},
{now.Add(-time.Hour), 0, 1},