I'm using systemd.timers on CentOS 7 server and have a timer set to automatically renew Certbot-managed Let's Encrypt website certificate.
autorenewal.service:
[Unit]
Description=certbot certificate auto-renewal service file
[Service]
Type=simple
ExecStart=/usr/local/sbin/certbot-auto renew
[Install]
WantedBy=multi-user.target
autorenewal.timer:
[Unit]
Description=Renew certs every 10th every 3 months
[Timer]
OnCalendar=*-2,5,8,11-10 08:00:00
Persistent=true
Unit=certbotautorenewal.service
[Install]
WantedBy=multi-user.target
The problem is that, as far as I know, with OnCalendar events the timer can be set only to specific date (say, every 15-th of every month or every 3 months), but Let's Encrypt certificate expires after a specific number of days (90). I want to renew the certificate a bit earlier, say, every 83 days or even two months and a half. I know Let's Encrypt expiry bot recommends renewing every 60 days, but I don't really trust it, since the expiration notice messages start coming when the certificate expires in 20 days, not 30. I don't want to renew the certificate when it's not due yet, because the renew command will be ignored and when it is finally needed a month after, it won't be there. Right now I use a clumsy workaround where I have to set the "every 3 months on a particular day" renewal time several days earlier after every renewal. Is there an actual solution to this? Because for some reason, certbot forces systemd timers usage on CentOS 7 instead of cron. Maybe there is hidden a subtract option in timer syntax? Or, for example, using bash to sync the calendar with the number of days.
