Feature support for ACME Renewal Information (ARI) #67
Comments
|
This may have to be implemented soon. uacme uses OCSP to determine if it should issue certificates based on if it's been revoked, and Let's Encrypt plans to remove their OCSP responders entirely on 2025-08-06 while removing OCSP URLs from certificates on 2025-05-07. (And by 2025-01-30, requesting certificates with OCSP Must-Staple won't work) |
|
Uacme only queries the OCSP server if the certificate has an Authority Information Access extension with an OCSP server location according to https://tools.ietf.org/html/rfc5280#section-4.2.2.1. When Let's Encrypt discontinues the OCSP, it will of course no longer add the extension. So everything will continue to work without changing anything. Must-staple is not the default behaviour. If --must-staple is specified after it's phased out by Let's Encrypt, certificate issuance will simply fail with an error from their server. Since uacme supports any ACME server, and other certificate authorities other than Let's Encrypt may still supply OCSP and Must-Staple, I am not going to remove this functionality. I agree that ARI is desirable but due to private and work commitments its implementation will have to wait for now. |
Let's Encrypt has pushed ACME Renewal Information (ARI) to production.
ARI basically tells the client when to renew a certificate, whether if it's earlier than usual (when certs need to be revoked) or at a specific time (balancing the load on the CA side).
My request is to support that feature, if possible.
The text was updated successfully, but these errors were encountered: