From b115c4745538c58726cbadafe98e42a6e04e9c4e Mon Sep 17 00:00:00 2001
From: Corey Davis <corey_davis@emerson.edu>
Date: Wed, 12 Nov 2025 15:08:34 -0500
Subject: [PATCH] Fix --days flag to properly calculate renewal time with
 --valid-to

When using --valid-to with --days, the renewal time was incorrectly
set to 1 day before certificate expiry instead of respecting the
user's --days value.

This fix ensures that:
- Renewal is scheduled at 'issuance + days' as intended
- Falls back to 1 day before expiry only if cert expires before renewal
- Matches the behavior when --valid-to is not specified

Example: With --valid-to '+47d' --days 42:
- Before: Renewal at day 46 (1 day before expiry)
- After: Renewal at day 42 (as specified)
---
 acme.sh | 39 +++++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/acme.sh b/acme.sh
index 7caec290..8b9b1d93 100755
--- a/acme.sh
+++ b/acme.sh
@@ -5386,26 +5386,41 @@ $_authorizations_map"
     _cleardomainconf Le_ForceNewDomainKey
   fi
   if [ "$_notAfter" ]; then
-    Le_NextRenewTime=$(_date2time "$_notAfter")
+    Le_CertExpireTime=$(_date2time "$_notAfter")
     Le_NextRenewTimeStr="$_notAfter"
     if [ "$_valid_to" ] && ! _startswith "$_valid_to" "+"; then
       _info "The domain is set to be valid until: $_valid_to"
       _info "It cannot be renewed automatically"
       _info "See: $_VALIDITY_WIKI"
+      Le_NextRenewTime="$Le_CertExpireTime"
     else
-      _now=$(_time)
-      _debug2 "_now" "$_now"
-      _lifetime=$(_math $Le_NextRenewTime - $_now)
-      _debug2 "_lifetime" "$_lifetime"
-      if [ $_lifetime -gt 86400 ]; then
-        #if lifetime is logner than one day, it will renew one day before
-        Le_NextRenewTime=$(_math $Le_NextRenewTime - 86400)
-        Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
+      # Calculate renewal time based on user's --days setting first
+      Le_UserRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
+      _debug2 "Le_UserRenewTime" "$Le_UserRenewTime"
+      _debug2 "Le_CertExpireTime" "$Le_CertExpireTime"
+      
+      # Check if user's renewal time is after certificate expiration
+      if [ "$Le_UserRenewTime" -ge "$Le_CertExpireTime" ]; then
+        # User's setting would renew after expiration, use fallback logic
+        _now=$(_time)
+        _debug2 "_now" "$_now"
+        _lifetime=$(_math $Le_CertExpireTime - $_now)
+        _debug2 "_lifetime" "$_lifetime"
+        if [ $_lifetime -gt 86400 ]; then
+          #if lifetime is longer than one day, it will renew one day before
+          Le_NextRenewTime=$(_math $Le_CertExpireTime - 86400)
+          _info "Certificate expires in less than $Le_RenewalDays days, setting renewal to 1 day before expiration"
+        else
+          #if lifetime is less than 24 hours, it will renew one hour before
+          Le_NextRenewTime=$(_math $Le_CertExpireTime - 3600)
+          _info "Certificate expires in less than 24 hours, setting renewal to 1 hour before expiration"
+        fi
       else
-        #if lifetime is less than 24 hours, it will renew one hour before
-        Le_NextRenewTime=$(_math $Le_NextRenewTime - 3600)
-        Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
+        # User's setting is valid, use it
+        Le_NextRenewTime="$Le_UserRenewTime"
+        _info "Using user-specified renewal time: $Le_RenewalDays days after issuance"
       fi
+      Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
     fi
   else
     Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)