From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 609DE1FF140 for ; Fri, 24 Apr 2026 13:41:07 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3ADE8156D9; Fri, 24 Apr 2026 13:41:07 +0200 (CEST) Message-ID: Date: Fri, 24 Apr 2026 13:40:33 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH proxmox-backup v2] acme: partially fix #6372: scale certificate renewal checks by lifetime To: pbs-devel@lists.proxmox.com References: <20260423134607.105229-2-m.federanko@proxmox.com> <1777019789.wslwp6i17e.astroid@yuna.none> Content-Language: en-US From: Manuel Federanko In-Reply-To: <1777019789.wslwp6i17e.astroid@yuna.none> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1777030743494 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.783 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com,letsencrypt.org] Message-ID-Hash: XQ3YONPCUSBSRNZQW5POUQYXTVQMZ7XL X-Message-ID-Hash: XQ3YONPCUSBSRNZQW5POUQYXTVQMZ7XL X-MailFrom: m.federanko@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 2026-04-24 10:35 AM, Fabian Grünbichler wrote: > seems like v1 of this got applied (with some follow-ups), would you mind > checking if rebasing the diff between v1 and v2 still makes sense? They could be rebased, but seeing as ARI support would change some stuff anyways I'm not quiet sure if it is worth it. I'd rather incorporate these improvements into the ARI patch-series I'm working on. > On April 23, 2026 3:46 pm, Manuel Federanko wrote: >> Start renewing a certificate once 2/3 or 1/2 (for short-lived >> certificates) of its total lifetime have passed, instead of the >> hardcoded 30 days. This stays consistent with many certificates, which >> are valid for 90 days and is recommended by letsencrypt [1]. >> >> The update service runs daily, impose a 3 day minimum remaining lifetime >> to still be able to handle transient failures for certificate renewals. >> >> [1] https://letsencrypt.org/docs/integration-guide/#when-to-renew >> >> Signed-off-by: Manuel Federanko >> Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=6372