[halifaxbeard]

> 8 lets me refresh weekly and have a fixed day of the week to check whether there was some API 429 timeout

There’s your answer.

6 days means on a long enough enough timeframe the load will end up evenly distributed across a week.

8 days would result in things getting hammered on specific days of the week.

[PunchyHamster]

> 6 days means on a long enough enough timeframe the load will end up evenly distributed across a week.

people will put */5 in cron and result will be same, because that's obvious, easy and nice number.

[phantom784]

I'd have it renew Monday and Thursday to avoid weekend outages.

[Dylan16807]

If they put */5 in cron, a single error response will break their site and the beginning of March will also break their site.

[PunchyHamster]

and they will replace it with * and just do it every day just in case

[Dylan16807]

Running an update script every day is good. Certbot defaults to running twice a day. Just use something with similar logic, waiting to renew short-lived certificates until halfway through their validity period. That way the actual load is nice and spread out. And you should get that logic by default if you do a normal setup.

[teaearlgraycold]

I’d expect most will do this. I wouldn’t be surprised if LE expects this.

[cpach]

If I would use short-lived certs I would make sure to choose an ACME client that has support for ARI (ACME Renewal Information). Then the CA will tell the client when it’s time to renew.

[bayindirh]

ACME doesn't renew certificates when there's enough time, so it'll always renew around 6 days, even if you check more aggressively.

Currently ACME sets its cron job to 12 days on 90 day certificates.

[akerl_]

Which ACME client are you referring to?

[nojs]

I thought people generally run it daily? It’s a no-op if it doesn’t need renewal.

[blibble]

so now people that want humans around will now renew twice in a week instead of once?

[Dylan16807]

Oh definitely not. They don't want humans doing any renewals.