Rework the way certificates renewal is managed#81
Merged
Conversation
smortex
force-pushed
the
rework-renewal
branch
from
18d300d to
65dbade
Compare
smortex
added
the
backwards-incompatible
smortex
force-pushed
the
rework-renewal
branch
from
65dbade to
33675f9
Compare
jpcweb
approved these changes
Feb 17, 2026
smortex
force-pushed
the
rework-renewal
branch
2 times, most recently
from
2e5bf6a to
cee8886
Compare
Some linux distributions do not ship cron by default anymore. The module unconditionally manage cron entries, resulting in catalog application failures on these operating systems until cron is installed. To avoid this hard dependency, allow to choose how certificates renewal is te be handled with the new `dehydrated::renewal_provider` parameter which replate the `dehydrated::cron_integration` parameter. If you previously set `cron_integration => true`, you must remove this parameter and replace it with `renewal_provider => 'cron'`. If you prefer to rely on systemd to renew certificates, you can set `renewal_provider` accordingly. We also introduce another new parameter `renewal_interval` which allows to select how ofter certificate renewals are attempted. Because the world is moving toward short-lived certificates, the default internal is `daily`, but can be set to `weekly` to match the previous behavior. Also note that the default value `never` is suppored and allows to switch from one provider to another without leftovers from the legacy provider. For this a two-step upgrade is required: 1. Keep `renewal_provider` unchanged and set `renewal_interval => 'never'`, apply a catalog; 2. Change `renewal_provider` to the new provider and set `renewal_interval` to the expected value.
smortex
force-pushed
the
rework-renewal
branch
from
cee8886 to
be44510
Compare
neomilium
approved these changes
Feb 24, 2026
Member
|
IMHO, this PR explanation contains clear migration instructions that should be in README.md. |
Member
Author
|
These instructions only make sense when updating, and the CHANGELOG will link to this PR. I am fine with not adding these details to the main README. |
neomilium
approved these changes
Feb 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some linux distributions do not ship cron by default anymore. The module unconditionally manage cron entries, resulting in catalog application failures on these operating systems until cron is installed.
To avoid this hard dependency, allow to choose how certificates renewal is te be handled with the new
dehydrated::renewal_providerparameter which replate thedehydrated::cron_integrationparameter.If you previously set
cron_integration => true, you must remove this parameter and replace it withrenewal_provider => 'cron'. If you prefer to rely on systemd to renew certificates, you can setrenewal_provideraccordingly.We also introduce another new parameter
renewal_intervalwhich allows to select how ofter certificate renewals are attempted. Because the world is moving toward short-lived certificates, the default internal isdaily, but can be set toweeklyto match the previous behavior. Also note that the default valueneveris suppored and allows to switch from one provider to another without leftovers from the legacy provider. For this a two-step upgrade is required:renewal_providerunchanged and setrenewal_interval => 'never', apply a catalog;renewal_providerto the new provider and setrenewal_intervalto the expected value.