Skip to content

Fix: Honor --days flag for short-lived certificates #6572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

Fix: Honor --days flag for short-lived certificates #6572

wants to merge 4 commits into from

Conversation

@hselomein
Copy link

@hselomein hselomein commented Oct 18, 2025

Summary

  • Add logic to respect user's --days setting for short-lived certificates
  • Add parameter validation (1-398 days range)
  • Add safety checks to prevent renewal after expiration
  • Add clear user feedback messages
  • Maintain backward compatibility
  • Prepare for upcoming industry certificate lifespan reductions

Fixes issue where --days flag was ignored for certificates with short validity periods, causing unexpected renewal behavior.

Problem

The --days flag in acme.sh is currently ignored for short-lived certificates (typically 5-50 days validity), causing inconsistent behavior:

  • Normal certificates (90+ days): --days 60 works as expected
  • Short-lived certificates (5-50 days): --days value is completely ignored, renewal defaults to 1 day before expiration

Root Cause

The renewal calculation logic has separate code paths where short-lived certificates (when _notAfter is set) ignore Le_RenewalDays and use hardcoded fallback logic instead of respecting user preferences.

Solution

Enhanced renewal logic (lines ~5388-5427):

  • Modified _notAfter code path to check user's --days setting first
  • Added safety validation to prevent renewal after certificate expiration
  • Maintained fallback logic for invalid user settings

Parameter validation (lines ~5351-5364):

  • Early validation for --days parameter (1-398 days range)
  • Clear error messages for invalid values
  • Aligned with current industry standard (398 days max)

Testing

Test Case 1: --days 7 with 20-day cert → Renews exactly 7 days after issuance
Test Case 2: --days 25 with 20-day cert → Warning + fallback to safe default
Test Case 3: Normal certificates maintain existing behavior

Backward Compatibility

  • No breaking changes to existing behavior
  • Normal certificates unchanged
  • Short-lived certificates without --days continue using current logic
  • No changes to configuration format or cron behavior

Future-Proofing

Prepares for industry transitions to shorter certificate lifespans (398→200→100→47 days by 2029) while respecting user intent.

@hselomein
Fix: Honor --days flag for short-lived certificates
7d904a4 
- Add logic to respect user's --days setting for short-lived certificates
- Add parameter validation (1-398 days range)
- Add safety checks to prevent renewal after expiration
- Add clear user feedback messages
- Maintain backward compatibility
- Prepare for upcoming industry certificate lifespan reductions

Fixes issue where --days flag was ignored for certificates with
short validity periods, causing unexpected renewal behavior.
@coreydavis-emerson coreydavis-emerson mentioned this pull request Oct 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hselomein @Neilpang