Suggestions about cert renewal

JoshData · April 30, 2017, 11:52am

We attempt renewal between 14 and 30 days ahead of expiration:

mail-in-a-box/mailinabox/blob/main/management/ssl_certificates.py#L200


      
          
          	domains_to_provision = set()
          	domains_cant_provision = { }
          
          	for domain in plausible_web_domains:
          		# Skip domains that the user doesn't want to provision now.
          		if limit_domains and domain not in limit_domains:
          			continue
          
          		# Check that there isn't an explicit A/AAAA record.
          		if domain not in actual_web_domains:
          			domains_cant_provision[domain] = "The domain has a custom DNS A/AAAA record that points the domain elsewhere, so there is no point to installing a TLS certificate here and we could not automatically provision one anyway because provisioning requires access to the website (which isn't here)."
          
          		# Check that the DNS resolves to here.
          		else:
          
          			# Does the domain resolve to this machine in public DNS? If not,
          			# we can't do domain control validation. For IPv6 is configured,
          			# make sure both IPv4 and IPv6 are correct because we don't know
          			# how Let's Encrypt will connect.
          			bad_dns = []

As long as there are 3 or 4 attempts, I’m fine with reducing the frequency.

If a box has DNS configured on external servers, could you NOT attempt cert renewal using DNS?

One has nothing to do with the other. Cert renewal on the box does not require that DNS be hosted on the box. (We use HTTP validation.)