Add CERT_PROFILE support, fix DST Root CA X3 renewal loop, and improve ARI renewal scheduling

[Sausageroll2077]

---

• I have read the contributing guideline and understand that I have made the correct modifications

---

Description:

1. CERT_PROFILE environment variable

Adds support for the CERT_PROFILE environment variable, allowing users to request a specific Let's Encrypt certificate profile via certbot's preferred-profile flag. Supported profiles:

Profile	Validity	Notes
classic	90 days	Default, backward compatible
tlsserver	Short window	Modern CA/B Forum standard, omits Common Name, max 25 domains
shortlived	6 days (~160 hours)	No revocation info, smaller certs, fully automated systems only
tlsclient	90 days	TLS client auth EKU — being discontinued July 8, 2026

ZeroSSL does not support ACME profiles and the variable is silently ignored when CERTPROVIDER=zerossl.

2. DST Root CA X3 fix

Removed the check for the expired DST Root CA X3 certificate since it wascausing certbot to trigger constant unnecessary certificate renewals at start

3. ARI-aware renewal scheduling

Changes certbot renew from once daily to twice daily (*/12) per the Let's Encrypt Integration Guide recommendation to check ARI at least twice daily.

Additionally randomizes the cron minute offset (0–59) on each container start to spread renewal load across instances, and logs the next scheduled check time at startup.

Updates the readme to reflect twice daily cert checks via ARI and removes the outdated reference to Let's Encrypt expiration notification emails which ended in June 2025.

Benefits of this PR and context:

CERT_PROFILE enables users to adopt shorter-lived certificates today. This is directly relevant to the whole SWAG userbase given Let's Encrypt's announced roadmap:

• Feb 10, 2027: Default classic profile moves from 90-day to 64-day
• Feb 16, 2028: Default profile moves to 45-day

Lays the groundwork for support for ip certificates which requires 6 day certs.Six-Day and IP Address Certificates Available in Certbot

As certificate lifetimes shorten, ARI renewal windows become proportionally narrower. The twice daily cron change is forward-looking — what currently only matters for shortlived users will affect all SWAG users as default lifetimes decrease.

DST Root CA X3 was causing unnecessary renewal attempts on affected systems.

How Has This Been Tested?

Built the Docker image locally on an Unraid server and tested:

• Set CERT_PROFILE=shortlived in staging and production mode — received a 6-day certificate both times:

• Confirmed ARI is being queried at each renewal check via grep renewalInfo /config/log/letsencrypt/letsencrypt.log
• Confirmed randomized cron offset appears in Docker logs at startup
• Confirmed next scheduled check time displayed correctly at startup
• Verified full ARI suggestedWindow response showing a ~3 hour window set at the cert's halfway point (day 3 of 6)

Source / References:

• https://letsencrypt.org/docs/profiles/ — certificate profiles documentation
• https://letsencrypt.org/docs/integration-guide/ — "check ARI at least twice a day"
• https://letsencrypt.org/2026/03/17/acme-renewal-information-ari — ARI overview
• https://letsencrypt.org/2025/06/26/expiration-notification-service-has-ended — expiration emails ended
• https://letsencrypt.org/2026/03/11/shorter-certs-certbot — shorter-certs-certbot

[github-actions]

Thanks for opening this pull request! Be sure to follow the pull request template!

[Sausageroll2077]

While testing this on Unraid, I noticed every container restart was looping into a revoke + reissue cycle when CERT_PROFILE=shortlived was set. The cause is the existing legacy check that tries to detect certs still on the expired DST Root CA X3 cross-sign:
openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"

I changed it to check for the actual bad chain:
openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "DST Root CA X3"

This way it does not interfere with the new intermediates that shortlived introduces.

[Sausageroll2077]

Looking at it again I think this checking for this old le root certificate should just be removed can't imagine anyone is still running with that cert.

will add it in this pr for now since it causes issues with the new intermediate certificates from le.
but if neccesary can make a new pr for it.

[Sausageroll2077]

Changed the pull request to better reflect all changes.
Apologies for the chaotic PR will do better next time.