Add a configurable cron interval#6971
Conversation
With ACME Renewal Info (RFC9773 §4.3), fetching renewal window should be more frequent, e.g. in case of revocation incident. "For instance, a server that needs to revoke certificates within 24 hours of notification of a problem might choose to reserve twelve hours for investigation, six hours for clients to fetch updated RenewalInfo objects, and six hours for clients to perform a renewal." More flexible option is to run the cron job every hour and only refresh ARI when the last one + Retry-After header is in the past.
Add support for randomized hour and update frequency Ref: * [/mo](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create#to-schedule-a-task-to-run-every-n-hours) * [/SC HOURLY](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create#parameters)
|
@sim0n-v this contains both your PRs |
| $_CRONTAB -l 2>/dev/null | { | ||
| cat | ||
| echo "$random_minute $random_hour * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null" | ||
| echo "$random_minute $random_hour/$_cron_interval * * * $lesh --cron $_c_entry> /dev/null" |
There was a problem hiding this comment.
I tried $random_hour/6 in 647c733 but didn't work. Don't really know why...
That's why I came up with a list of hours instead ($random_hour,$random_hour+$_cron_interval*1,$random_hour+$_cron_interval*2 etc. until $random_hour+$_cron_interval*(24 / $_cron_interval)).
There was a problem hiding this comment.
I think it's because $random_hour/$_cron_interval is technically non-standard syntax. The left side is supposed to be a range expression so we probably want ${random_hour}-23/$_cron_interval
e-nomem
force-pushed
the
configurable-cron-interval
branch
from
e1c62b5 to
00b686c
Compare
e-nomem
force-pushed
the
configurable-cron-interval
branch
from
d0d63d0 to
09bda1e
Compare
| --cron-interval <interval hours> Sets the cron interval when installing the cron job or used by the renew commands to detect if | ||
| early cert renewal is required when using ARI. Only valid for '--install', '--install-cronjob', | ||
| '--renew', '--renew-all', and '--cron'. | ||
| See: $_ARI_WIKI |
There was a problem hiding this comment.
Added this with the assumption that the Wiki will be updated to clarify the interaction between this flag and the ARI feature if this PR is merged.
| _debug "_server" "$_server" | ||
|
|
||
| _cron_interval="$3" | ||
| debug "_cron_interval" "$_cron_interval" |
|
|
||
| _isEcc="$2" | ||
| _renewServer="$3" | ||
| _cron_interval="$4" |
There was a problem hiding this comment.
I don't think that upgrading acme.sh will update the cronjob as well. This value might be not set.
ARI is enabled by default so maybe add something like:
if [ -z "$_cron_interval" ]; then
_cron_interval=24
fi
| _offset_sec="$(_math "$1" * 3600)" | ||
| _now_unix="$(_math "$_now_unix" + "$_offset_sec")" |
There was a problem hiding this comment.
I get some errors with these (running bash and sh): I think * and + should be escaped.
The first line (with *) prints the current dir.
The second line (with + ) cannot understand the symbol.
Fixed with escaped char.
2 participants
This PR is an implementation of my idea from #6965 (comment) and pulls both #6939 and #6953 as they currently are and adds a
--cron-intervalCLI flag. This should let the cron job figure out if the next cron run will happen before the ARI renewal window ends and trigger an early renewal as necessary. It ensures that we will never overshoot the 30 minute renewal window for the shortlived profile while also not renewing immediately after the 7 day renewal window opens for the classic profile.Since this PR effectively contains 3 separate PRs in it, here's a link to just my changes without the other two: 3b1f3c8...e-nomem:acme.sh:configurable-cron-interval