pfSense

Currently the certificate expiration notifications are based on either a user-supplied number of days or a default value of 27 days.

CA/Browser forum baseline requirements are calling for shorter periods to be phased in over the next few years which will make the current method impractical, and some CAs offer profiles with certificate lifetimes as short as 6 days. (See also: #16603)

The behavior should be changed to instead warn the user based on the shorter of either 1/3 the lifetime less one day, or the current value/days logic. This way a user isn't warned too early for long-lived certificates, but also won't be spammed with notifications for short-lived certificates.

Consider the near-worst case of an ACME certificate valid for 6 days. If we warn at 1/3 the lifetime remaining, the user would be warned 2 days before expiration, but that's also the same day ACME would renew the certificate. If the warning threshold is one day after, the user will get a warning only when the renewal failed or was otherwise missed/late.