Finetune the SSL expiration alert period
Right now, Let's Encrypt certificate expiration alert is sent 14 days, 7 days, 1 day before.
I have a certbot that renews it 5 days before.
So every month, I receive alerts 14 days and 7 days for all domains,
which are perfectly normal. Hence, some 'alert noise' that I don't take into account anymore...
Let us select a custom period for SSL expiration dates.
I think globally, with 2 different settings: one for "standard" certificate, the other for 'let's encrypt' certificates.
--> only alert when worth alerting :)
--> smarter monitoring
Actually 14, 7, 1 is already the special schedule for let’s encrypt certificates. This is automatically detected by updown.io so you don’t have to, normal 1-year certificates get an additional 30 days reminder.
The threshold for let’s encrypt certs starts at 14 days because the default renew delay is 30 days before expiration: https://certbot.eff.org/docs/using.html. This can be down to 23 days with a weekly cron for example (pretty common) so that’s why we chose 14 days, so you have plenty of time to renew but still have time to investigate and fix any potential auto-renew issues.
If you’d rather renew your cert only 5 days before expiration that’s up to you but we won’t recommend or support this configuration as we consider it dangerous ☺
Adam Gibbins commented
I'm a user of Netlify's service for hosting static sites, they provide LetsEncrypt certificates however they don't appear to be renewed until ~10 days before expiry. I have no control over this, so I get notifications from updown.io when 14 days remain every time. It'd be nice to be able to tune this.
I can only assume they're doing this as they're operating at large scale so this delayed renewal significantly reduces load, so it's not likely they'll alter it to align with LE recommendations.