1 files changed, 24 insertions, 0 deletions

diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 547618e8f..1f57c7e38 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -88,6 +88,15 @@ type ACMEIssuer struct {
 	// will be selected.
 	PreferredChains *ChainPreference `json:"preferred_chains,omitempty"`
 
+	// The validity period to ask the CA to issue a certificate for.
+	// Default: 0 (CA chooses lifetime).
+	// This value is used to compute the "notAfter" field of the ACME order;
+	// therefore the system must have a reasonably synchronized clock.
+	// NOTE: Not all CAs support this. Check with your CA's ACME
+	// documentation to see if this is allowed and what values may
+	// be used. EXPERIMENTAL: Subject to change.
+	CertificateLifetime caddy.Duration `json:"certificate_lifetime,omitempty"`
+
 	rootPool *x509.CertPool
 	logger   *zap.Logger
 
@@ -178,6 +187,7 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) {
 		CertObtainTimeout: time.Duration(iss.ACMETimeout),
 		TrustedRoots:      iss.rootPool,
 		ExternalAccount:   iss.ExternalAccount,
+		NotAfter:          time.Duration(iss.CertificateLifetime),
 		Logger:            iss.logger,
 	}
 
@@ -349,6 +359,20 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 
 	for d.NextBlock(0) {
 		switch d.Val() {
+		case "lifetime":
+			var lifetimeStr string
+			if !d.AllArgs(&lifetimeStr) {
+				return d.ArgErr()
+			}
+			lifetime, err := caddy.ParseDuration(lifetimeStr)
+			if err != nil {
+				return d.Errf("invalid lifetime %s: %v", lifetimeStr, err)
+			}
+			if lifetime < 0 {
+				return d.Errf("lifetime must be >= 0: %s", lifetime)
+			}
+			iss.CertificateLifetime = caddy.Duration(lifetime)
+			
 		case "dir":
 			if iss.CA != "" {
 				return d.Errf("directory is already specified: %s", iss.CA)