Skip to content

Commit 3f611cc

Browse files
DavidePrincipiDavidePrincipi
committed
feat(certificates): clarify renewal period
1 parent 47a1ffa commit 3f611cc

File tree

1 file changed

+16
-13
lines changed

1 file changed

+16
-13
lines changed

certificates.rst

Lines changed: 16 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -32,12 +32,11 @@ The main **types** of certificates are:
3232
- ``Uploaded``: custom certificates added through :ref:`Upload certificate
3333
<uploaded-certificates-section>`. They are not renewed automatically.
3434

35-
- ``Requested``: one :ref:`Let's Encrypt certificate
36-
<lets-encrypt-requirements>` can be requested for each cluster node, with
37-
up to 100 names. It is used by applications only if no other suitable
38-
certificate is available. Use the ``Manage names`` action to replace it
39-
with a new request; the old one is then marked as ``Obsolete``. Let's
40-
Encrypt certificates are renewed automatically.
35+
- ``Requested``: each cluster node can request one :ref:`Let's Encrypt
36+
certificate <lets-encrypt-requirements>` containing up to 100 names. Use
37+
the ``Manage names`` action to update the list of names; this issues a
38+
new request and marks the old certificate as ``Obsolete``. Let's Encrypt
39+
certificates are renewed automatically.
4140

4241
Other certificate types:
4342

@@ -88,9 +87,13 @@ NethServer 8 uses HTTP-based ACME challenges to obtain them, which require:
8887
with HTTP-based ACME challenges.
8988

9089
Certificates obtained from Let's Encrypt are renewed automatically before
91-
expiration. If one is marked as ``Expiring`` or ``Expired``, verify the
92-
requirements above and wait for the next renewal attempt, or remove it as
93-
explained in :ref:`delete-certificates-section`.
90+
expiration. Renewal attempts run daily, starting 30 days before the
91+
certificate expires.
92+
93+
If a certificate is marked as ``Expiring`` or ``Expired``, check that the
94+
requirements above are still met and wait for the next renewal attempt.
95+
Alternatively, remove the certificate as explained in
96+
:ref:`delete-certificates-section`.
9497

9598
.. _lets-encrypt-request-section:
9699

@@ -112,10 +115,10 @@ If requirements are met, request a certificate as follows:
112115

113116
Validation may take up to 60 seconds before a timeout.
114117

115-
Certificates are renewed automatically before expiration. If renewal
116-
fails, an expiration alert is triggered (see
117-
:ref:`certificate-alerts-section`). Check the :ref:`Let's Encrypt
118-
requirements <lets-encrypt-requirements>` to investigate the cause.
118+
Certificates are renewed automatically by a daily process that begins 30
119+
days before expiration. If renewal fails, an expiration alert is triggered
120+
(see :ref:`certificate-alerts-section`). See the :ref:`Let's Encrypt
121+
requirements <lets-encrypt-requirements>` to identify the cause.
119122

120123
.. _custom-certificates-section:
121124

0 commit comments

Comments
 (0)