From ef5d040fd6c6db636746e0aa250ca0ae64ebf806 Mon Sep 17 00:00:00 2001 From: Benjamin Schwartz Date: Wed, 21 Jan 2026 00:38:04 -0800 Subject: [PATCH] Alter TLS renewal period --- docs/content/https/acme.md | 16 ++++++++-------- pkg/provider/acme/provider.go | 4 ++-- pkg/provider/acme/provider_test.go | 18 +++++++++++++++--- 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/docs/content/https/acme.md b/docs/content/https/acme.md index aa3b8ecec..356bc8813 100644 --- a/docs/content/https/acme.md +++ b/docs/content/https/acme.md @@ -847,14 +847,14 @@ _Optional, Default=2160_ It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration. -| Certificate Duration | Renew Period | Renew Interval | -|----------------------|-------------------|-------------------------| -| >= 1 year | 4 months | 1 week | -| >= 90 days | 30 days | 1 day | -| >= 30 days | 10 days | 12 hours | -| >= 7 days | 1 day | 1 hour | -| >= 24 hours | 6 hours | 10 min | -| < 24 hours | 20 min | 1 min | +| Certificate Duration | Renew Period | Renew Interval | +|----------------------|--------------|----------------| +| >= 1 year | 4 months | 1 week | +| >= 90 days | 30 days | 1 day | +| >= 30 days | 10 days | 12 hours | +| >= 6 days | 2 days | 2 hours | +| >= 24 hours | 6 hours | 10 min | +| < 24 hours | 20 min | 1 min | !!! warning "Traefik cannot manage certificates with a duration lower than 1 hour." diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go index fb181dd54..c6800abb8 100644 --- a/pkg/provider/acme/provider.go +++ b/pkg/provider/acme/provider.go @@ -809,8 +809,8 @@ func getCertificateRenewDurations(certificatesDuration int) (time.Duration, time return 30 * 24 * time.Hour, 24 * time.Hour // 30 days, 1 day case certificatesDuration >= 30*24: // >= 30 days return 10 * 24 * time.Hour, 12 * time.Hour // 10 days, 12 hours - case certificatesDuration >= 7*24: // >= 7 days - return 24 * time.Hour, time.Hour // 1 days, 1 hour + case certificatesDuration >= 6*24: // >= 6 days + return 2 * 24 * time.Hour, 2 * time.Hour // 2 days, 2 hours case certificatesDuration >= 24: // >= 1 days return 6 * time.Hour, 10 * time.Minute // 6 hours, 10 minutes default: diff --git a/pkg/provider/acme/provider_test.go b/pkg/provider/acme/provider_test.go index 477164e3a..e7a16952f 100644 --- a/pkg/provider/acme/provider_test.go +++ b/pkg/provider/acme/provider_test.go @@ -612,6 +612,12 @@ func Test_getCertificateRenewDurations(t *testing.T) { expectRenewPeriod: time.Hour * 24 * 30, expectRenewInterval: time.Hour * 24, }, + { + desc: "45 Days certificates (Let's Encrypt 2028 standard): 10 days renew period, 12 hour renew interval", + certificatesDurations: 24 * 45, + expectRenewPeriod: time.Hour * 24 * 10, + expectRenewInterval: time.Hour * 12, + }, { desc: "30 Days certificates: 10 days renew period, 12 hour renew interval", certificatesDurations: 24 * 30, @@ -619,10 +625,16 @@ func Test_getCertificateRenewDurations(t *testing.T) { expectRenewInterval: time.Hour * 12, }, { - desc: "7 Days certificates: 1 days renew period, 1 hour renew interval", + desc: "7 Days certificates: 2 days renew period, 2 hour renew interval", certificatesDurations: 24 * 7, - expectRenewPeriod: time.Hour * 24, - expectRenewInterval: time.Hour, + expectRenewPeriod: time.Hour * 24 * 2, + expectRenewInterval: time.Hour * 2, + }, + { + desc: "160 hour certificate (Let's Encrypt 'shortlived' profile): 2 days renew period, 2 hour renew interval", + certificatesDurations: 160, + expectRenewPeriod: time.Hour * 24 * 2, + expectRenewInterval: time.Hour * 2, }, { desc: "24 Hours certificates: 6 hours renew period, 10 minutes renew interval",