From 5a42e20dbaf40de96563d32998640929a6517ddf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Mon, 9 Sep 2024 14:39:50 +0200
Subject: [PATCH] fix #5665: add note about short-lived cert renewal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

not that obvious behaviour on the systemd side, and missing cert renewal can
have wide-reaching consequences.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 certificate-management.adoc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/certificate-management.adoc b/certificate-management.adoc
index 71c6d71..d72ee1c 100644
--- a/certificate-management.adoc
+++ b/certificate-management.adoc
@@ -223,6 +223,9 @@ If a node has been successfully configured with an ACME-provided certificate
 renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
 if the certificate has expired already, or will expire in the next 30 days.
 
+NOTE: If you are using a custom directory that issues short-lived certificates,
+disabling the random delay for the `pve-daily-update.timer` unit might be
+advisable to avoid missing a certificate renewal after a reboot.
 
 ACME Examples with `pvenode`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~