Parameter:
CERTMGR_REQUEST_RENEWAL_DAYSShort description: Number of days before expiration at which CertMgr should automatically renew a TLS certificate (Let's Encrypt / ACME / manual CA).
Profile
Parameter | CERTMGR_REQUEST_RENEWAL_DAYS |
Category | Security / TLS |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | Integer in days (default 30, typically 7–45) |
Description
The Certificate Manager (
certmgr) does not renew TLS certificates only on the day of expiration, but earlier – with a sufficient safety buffer. CERTMGR_REQUEST_RENEWAL_DAYS defines this lead time. For Let's Encrypt (90-day certificates), 30 is a proven value: renewal starts 60 days after issuance and leaves plenty of time for retries if ACME validation temporarily fails.For CA-signed certificates with longer validity (1–2 years), the value can be set higher so that the renewal workflow starts in time and manual intermediate steps (DCV, CSR approval) can be completed.
Example configuration
CERTMGR_REQUEST_RENEWAL_DAYS=30
Notes & pitfalls
- Value in days.
- Values that are too small (≤ 5) are risky – if a renewal fails, there is hardly any time left for a retry.
- For Let's Encrypt, don't go below
15.
- Takes effect after a restart of
certmgr(restart task certmgr).
- Complementary to
CERTMGR_INTERVAL,CertMgr_NoVerifyHTTPChallenge.