Page:
Validity
Pages
Blogs and tutorials
BuyPass.com CA
CA
Change default CA to ZeroSSL
Code of conduct
DNS API Dev Guide
DNS API Structural Info description
DNS API Test
DNS alias mode
DNS manual mode
Deploy ssl certs to apache server
Deploy ssl certs to nginx
Deploy ssl to SolusVM
Donate list
Enable acme.sh log
Exit Codes
Explicitly use DOH
Google Public CA
Google Trust Services CA
Home
How to debug acme.sh
How to install
How to issue a cert
How to run on DD WRT with lighttpd
How to run on OpenWrt
How to use Amazon Route53 API
How to use Azure DNS
How to use OVH domain api
How to use Oracle Cloud Infrastructure DNS
How to use lexicon DNS API
How to use on Solaris based operating sytsems
How to use on embedded FreeBSD
Install in China
Install preparations
Issue a cert from existing CSR
OVH Success
Options and Params
Preferred Chain
Run acme.sh in docker
SSL.com CA
Server
Simple guide to add TLS cert to cpanel
Stateless Mode
Synology NAS Guide
Synology RT1900ac and RT2600ac install guide
TLS ALPN without downtime
Usage on Tomato routers
Use DNS Exit DNS API
Using pre hook post hook renew hook reloadcmd
Using systemd units instead of cron
Utilize multiple DNS API keys
Validity
ZeroSSL.com CA
_Footer_
deploy to docker containers
deployhooks
dnsapi
dnsapi2
dnscheck
dnssleep
how about the private key access modes, chmod, or chown or umask
ipcert
notify
openvpn2.4.7服务端和客户端使用注意
revokecert
sudo
tlsa next key
如何安装
说明
12
Validity
neil edited this page 2022-08-20 10:46:56 +08:00
Table of Contents
- If you use the absolute format for --valid-to "2022-04-01T08:10:33Z", the cert will NOT be renewed automatically when it expires.
- If you want the cert to be renewed automatically, please use the relative format:
- Of course, if you don't use --valid-to parameter at all, the cert will be renewed every 60 days as before.
The ACME protocol supported the NotBefore and NotAfter fields of the cert.
And some of the CAs supported this feature. (The Letsencrypt CA doesn't support it for now)
There are 2 command options to use:
- The
--valid-to <date time>option, which is forNotAfterfield. - The
--valid-from <date time>option, which is forNotBeforefield.
Usage:
1. Set the lifetime of the cert:
acme.sh --issue -d example.com -dns dns_cf --valid-to "2022-04-01T08:10:33Z"
The value of --valid-to is an absolute date time in the future. The issued cert will expire on that time(NotAfter).
Please be careful about the date time format, it Must be the exact format in UTC used above.
You can also use a relative date time format:
# This cert will only be valid for `10` days.
acme.sh --issue -d example.com --dns dns_cf --valid-to "+10d"
# This cert will be valid for `30` hours.
acme.sh --issue -d example.com --dns dns_cf --valid-to "+30h"
Please be careful about the format, there are only +*d (for days) and +*h (for hours) supported for now. Any other format will not be accepted.
If you use the absolute format for --valid-to "2022-04-01T08:10:33Z", the cert will NOT be renewed automatically when it expires.
If you want the cert to be renewed automatically, please use the relative format:
--valid-to +20d(the cert will be renewed every 19 days). If the lifetime is longer than one day, it will renew at one day before.--valid-to +11h(the cert will be renewed every 10 hours). If the lifttime is less than 24 hourst, it will renew at one hour before.
Of course, if you don't use --valid-to parameter at all, the cert will be renewed every 60 days as before.
2. Set the beginning time of the cert:
acme.sh --issue -d example.com --dns dns_cf --valid-from "2022-04-01T08:10:33Z"
The cert time will be valid starting from "2022-04-01T08:10:33Z".
You can also use the relative time format:
#The cert will be valid in 2 hours from now:
acme.sh --issue -d example.com --dns dns_cf --valid-from "+2h"
#The cert will be valid in 1 day from now:
acme.sh --issue -d example.com --dns dns_cf --valid-from "+1d"
3. You can use them both at the same time:
# The cert will be valid from `"2022-04-01T08:10:33Z"`, and then live for 40 days to expire:
acme.sh --issue -d example.com --dns dns_cf --valid-from "2022-04-01T08:10:33Z" --valid-to "+40d"
# The cert will be valid in 2 hours, and then live for 50 days to expire:
acme.sh --issue -d example.com --dns dns_cf --valid-from "+2h" --valid-to "+50d"
4. If the lifetime is measured in hours, you need to change the default crontab to run acme.sh every an hour:
0 * * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null