Check for cert expiry and don't update

[patan32]

Hello,

Thanks for this awesome docker project you have created. I was wondering if you can implement where the docker checks for the certificate validation and doesn't run the "Removing previous certificate and delete certificate file if the file exist on RouterOS...DONE" and "Validations succeeded; requesting certificate" step all the time if the container is restarted. It would be nice if it only ran it once the cert is expired and we can set a environment variable for this.

[foorschtbar]

Do you use the /letsencrypt volume mount?
If you store persistent authorization information between container restarts, the replacement only will happend if the cert is expired.

[patan32]

Hello @foorschtbar

This is my current mount paths.

[patan32]

Maybe it's working and i am understanding it wrong. It just replaces the cert in Mikrotik again after container restart. Is that normal even if the cert is not expired?

2023/09/18 09:20:49 [INFO] [xxx] acme: authorization already valid; skipping challenge
2023/09/18 09:20:49 [INFO] [xxx] acme: Validations succeeded; requesting certificates
2023/09/18 09:20:51 [INFO] [xxx] Server responded with a certificate.
Checking connection to RouterOS...DONE
Removing previous certificate and delete certificate file if the file exist on RouterOS...DONE
Uploading Certificate to RouterOS...DONE
Importing certificate file and delete certificate file after import...DONE
Deleting Certificate file if the file exist on RouterOS...DONE
Upload Key to RouterOS...DONE
Importing Key file and delete Certificate file after import...DONE
Setting certificate to Webserver...DONE setting certificate on WebServer
Setting certificate to API...DONE setting certificate on API
Setting certificate to Hotspot...DONE setting certificate on Hotspot

[foorschtbar]

Yes, you are right. The container doesn't check the deployed certificate and upload it on every start and after that via cron job periodically. Yes, that can be improved, but it need some time for a very low benefit. Feel free to open a PR to improve this behavior.

[patan32]

Hello,

Actually it's not a low benefit but an issue since i am getting rate limited. If i am working on my docker server or restart it too many times this will cause the acme ban. How do you want me to open the PR? Do you have any instructions?

2023/09/18 14:06:23 Could not obtain certificates:
	acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: xxxx, retry after 2023-09-19T17:56:50Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/

[foorschtbar]

Oh, yes you are right. I thought lego would be a little smarter with the run/renew procedure, but not (go-acme/lego#216). after 5 tries i also now blocked until tomorrow :D

i will fix that later with an updated container image.

[patan32]

That would be nice because this is really big issue getting the ban. Let me know i can test with different domain if you fix the issue.

[patan32]

Thank you for fixing the issue. It's working perfectly now.