security/acme-client: allow always renew

[gigamonster256]

I run my own CA with very short certificate lifetimes and it is useful to be able to have the automated renewal cron job always renew a certificate when run.

[fraenki]

How has this been tested?

[gigamonster256]

I made this change locally, set the renewInterval to 0 using the web UI, then observed the certificate being renewed every time the renewal cron job ran - without this change, at least a 24 hour interval is required (regardless of how when/how many times the cron job runs) in the following codepath (the only time renewInterval is referenced)

plugins/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php

Lines 429 to 442 in 7c4f3c7

	// Collect required information
	$current_time = new \DateTime();
	$last_update_time = new \DateTime();
	$last_update_time->setTimestamp($last_update);
	$renew_interval = (string)$this->config->renewInterval;
	$next_update = $last_update_time->add(new \DateInterval('P' . $renew_interval . 'D'));
	// Do the math
	if ($current_time >= $next_update) {
	LeUtils::log('certificate must be issued/renewed: ' . (string)$this->config->name);
	$return = true;
	}
	return $return;

[gigamonster256]

I will also note that most automated renewal systems use an approach of "check if cert needs to be renewed every renewalInterval and attempt renewal when the cert expiration date is less than validMin away" rather than opnsense's "check if cert needs to be renewed every cronJob and attempt renewal when the cert issuance date is more than renewalInterval in the past"

for example, certmgr's "before" config value and lego renew's "--days" option set the validMin value in the above example and certmgr's "interval" config and lego's systemd timer manage the renewalInterval value

edit: also, the 60 day default for the renewInterval will cause issues once letsEncrypt's shorter cert lifetimes go into effect