We are currently using Let’s Encrypt certificates for our UI and have a couple of questions regarding the automatic renewal process.
First, does the renewal occur on the day of expiration, or does it happen a few days prior? For instance, our newly set up certificate shows 62 days until expiration, even though the official documentation states that certificates should be valid for 90 days. This clarification is important as we plan to build automation around the process.
Secondly, is it necessary to keep port 80 open for the renewal, or can we close it and simply run the renewal command (e.g., renew-ssl-cert) without having the port open?
It’s done automatically 80 days after a new certificate is acquired. The command sudo pritunl renew-ssl-cert triggers a manual renewal. Port 80 must be open for the certificate to renew.
Could you please elaborate on how this process works? My understanding is that the internal application logic automatically renews the certificate when it is 81 days old. Additionally, should I expect to see any log entries in the Pritunl logs indicating a successful certificate renewal?
I ask because I am using Let’s Encrypt for my public domain, which was registered on 1743155791.7633524 (Friday, March 28, 2025 9:56:31.763 AM GMT). I set up the command pritunl set app.acme_renew 777600, which corresponds to 9 days, and I expected the certificate to renew on the 9th or 10th day. However, this did not occur, and I am not sure what log messages I should be looking for to determine why. Could you please confirm if my understanding of the command outcome is correct?
Based on my recent validation, it appears that the certificate renewal did indeed occur.
I also came across this line in your code base: https://github.com/pritunl/pritunl/blob/master/pritunl/tasks/acme_update.py#L31, which suggests that restarting the Pritunl service is necessary for the renewal process to take effect. Am I understanding this correctly?