Skip to content

ARI - Run cron job more frequently#6939

Open
sim0n-v wants to merge 5 commits into
acmesh-official:devfrom
sim0n-v:patch-1
Open

ARI - Run cron job more frequently#6939
sim0n-v wants to merge 5 commits into
acmesh-official:devfrom
sim0n-v:patch-1

Conversation

@sim0n-v

@sim0n-v sim0n-v commented May 3, 2026

Copy link
Copy Markdown
Contributor

With ACME Renewal Info (RFC9773 §4.3), fetching renewal window should be more frequent, e.g. in case of revocation incident.

For instance, a server that needs to revoke certificates within 24 hours of notification of a problem might choose to reserve twelve hours for investigation, six hours for clients to fetch updated RenewalInfo objects, and six hours for clients to perform a renewal.

This PR makes the cron job run every 6 hours (nb: the cron job is not modified during acme.sh upgrades).

More flexible option is to run the cron job even more frequently (e.g. each hour) and store the time at which fetching ARI should be made (using the Retry-After header).

@neilpang

neilpang commented May 6, 2026

Copy link
Copy Markdown
Member

why not just $_random_minutes */6 * * * ?

@sim0n-v

sim0n-v commented May 6, 2026

Copy link
Copy Markdown
Contributor Author

I guess $random_minute */6 * * * is the same as $random_minute 0/6 * * *: every clients will request ARI the same hour, and the CA may overload on 0,6,12,18 hours.

Much better if this is randomized across each hour.

As per RFC9773 §4.3:

During the lifetime of a certificate, the renewal information needs to be fetched frequently enough that clients learn about changes in the suggested window quickly, but without overwhelming the server.

sim0n-v added 3 commits May 6, 2026 22:27
@sim0n-v @neilpang
ARI - Run cron job more frequently
a3220f5 
With ACME Renewal Info (RFC9773 §4.3), fetching renewal window should be more frequent, e.g. in case of revocation incident.
"For instance, a server that needs to revoke certificates within 24 hours of notification of a problem might choose to reserve twelve hours for investigation, six hours for clients to fetch updated RenewalInfo objects, and six hours for clients to perform a renewal."

More flexible option is to run the cron job every hour and only refresh ARI when the last one + Retry-After header is in the past.
@sim0n-v @neilpang
Fix cron job schedule for certificate renewal
647c733
@sim0n-v @neilpang
Fix random_hour syntax in cron job installation
086fbf9
@neilpang neilpang requested a review from Copilot May 6, 2026 20:27
Copilot AI reviewed May 6, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts the installed cron schedule to run more frequently (every 6 hours) to better support ACME Renewal Info (ARI) refresh cadence during incident/revocation scenarios.

Changes:

  • Change the randomized hour selection to a 6-hour bucket (% 6) instead of daily (% 24).
  • Install a single cron entry that runs 4 times/day at 6-hour intervals (hour list h,h+6,h+12,h+18).

Comment thread acme.sh
Comment thread acme.sh
@neilpang neilpang requested a review from Copilot May 7, 2026 06:58
Copilot AI reviewed May 7, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread acme.sh
sim0n-v
sim0n-v commented May 10, 2026
View reviewed changes

@sim0n-v sim0n-v left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix windows scheduler padding for StartTime and random minute/hour.

Comment thread acme.sh
sim0n-v
sim0n-v commented May 10, 2026
View reviewed changes

@sim0n-v sim0n-v left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update the SCHTASKS to follow the same cronjob logic

Comment thread acme.sh
@sim0n-v

sim0n-v commented May 10, 2026

Copy link
Copy Markdown
Contributor Author

The wiki Using systemd units instead of cron should also be updated with something like this:

[Unit]
Description=Renewal of Let's Encrypt's certificates

[Timer]
#OnCalendar=*/6:00:00
OnUnitActiveSec=6h
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

@e-nomem

e-nomem commented May 16, 2026

Copy link
Copy Markdown

Persistent=true doesn't do anything for monotonic timers and OnUnitActiveSec requires the target unit to be activated at least once by something, so it usually also requires OnBootSec.

If you have a recent enough version of systemd (v258+), you can do somthing like this:

[Unit]
Description=Renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=0/6:00:00
RandomizedOffsetSec=6h
FixedRandomDelay=true
Persistent=true

[Install]
WantedBy=timers.target

That'll have the timer fire every 6 hours but each individual system will use a different fixed offset in that 6 hour window.

@e-nomem e-nomem mentioned this pull request May 17, 2026
Open
e-nomem added a commit to e-nomem/acme.sh that referenced this pull request May 17, 2026
@e-nomem
Merge acmesh-official#6939 and acmesh-official#6953 with dev
3b1f3c8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sim0n-v @neilpang @e-nomem