feat: support custom duration for certificate (#1925)

2026-03-14 14:35:48 +01:00 · 2023-05-28 16:45:48 +02:00 · 2023-05-28 16:45:48 +02:00 · c341e6a381
commit c341e6a381
parent 8bf0cee70e
8 changed files with 268 additions and 40 deletions
--- a/cmd/cmd_renew.go
+++ b/cmd/cmd_renew.go
@ -75,9 +75,15 @@ func createRenew() *cli.Command {
 				Usage: "Include the OCSP must staple TLS extension in the CSR and generated certificate." +
 					" Only works if the CSR is generated by lego.",
 			},
-			&cli.StringFlag{
-				Name:  "renew-hook",
-				Usage: "Define a hook. The hook is executed only when the certificates are effectively renewed.",
+			&cli.TimestampFlag{
+				Name:   "not-before",
+				Usage:  "Set the notBefore field in the certificate (RFC3339 format)",
+				Layout: time.RFC3339,
+			},
+			&cli.TimestampFlag{
+				Name:   "not-after",
+				Usage:  "Set the notAfter field in the certificate (RFC3339 format)",
+				Layout: time.RFC3339,
 			},
 			&cli.StringFlag{
 				Name: "preferred-chain",
@ -88,6 +94,10 @@ func createRenew() *cli.Command {
 				Name:  "always-deactivate-authorizations",
 				Usage: "Force the authorizations to be relinquished even if the certificate request was successful.",
 			},
+			&cli.StringFlag{
+				Name:  "renew-hook",
+				Usage: "Define a hook. The hook is executed only when the certificates are effectively renewed.",
+			},
 			&cli.BoolFlag{
 				Name: "no-random-sleep",
 				Usage: "Do not add a random sleep before the renewal." +
@ -188,12 +198,15 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif

 	request := certificate.ObtainRequest{
 		Domains:                        merge(certDomains, domains),
-		Bundle:                         bundle,
 		PrivateKey:                     privateKey,
 		MustStaple:                     ctx.Bool("must-staple"),
+		NotBefore:                      getTime(ctx, "not-before"),
+		NotAfter:                       getTime(ctx, "not-after"),
+		Bundle:                         bundle,
 		PreferredChain:                 ctx.String("preferred-chain"),
 		AlwaysDeactivateAuthorizations: ctx.Bool("always-deactivate-authorizations"),
 	}
+
 	certRes, err := client.Certificate.Obtain(request)
 	if err != nil {
 		log.Fatal(err)
@ -265,12 +278,16 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat
 	timeLeft := cert.NotAfter.Sub(time.Now().UTC())
 	log.Infof("[%s] acme: Trying renewal with %d hours remaining", domain, int(timeLeft.Hours()))

-	certRes, err := client.Certificate.ObtainForCSR(certificate.ObtainForCSRRequest{
+	request := certificate.ObtainForCSRRequest{
 		CSR:                            csr,
+		NotBefore:                      getTime(ctx, "not-before"),
+		NotAfter:                       getTime(ctx, "not-after"),
 		Bundle:                         bundle,
 		PreferredChain:                 ctx.String("preferred-chain"),
 		AlwaysDeactivateAuthorizations: ctx.Bool("always-deactivate-authorizations"),
-	})
+	}
+
+	certRes, err := client.Certificate.ObtainForCSR(request)
 	if err != nil {
 		log.Fatal(err)
 	}