dehydrated icon indicating copy to clipboard operation
dehydrated copied to clipboard
verified publisher icon dehydrated-io

Support ACME Renewal Information (ARI)

Open domrim opened this issue 10 months ago • 2 comments

As Let's Encrypt is deprecating Expiration Mails (https://letsencrypt.org/2025/01/22/Ending-Expiration-Emails) it would be nice if dehydrate could support ACME Renewal Information (ARI). For more background, there is a blogpost

An in depth guide for implementing can be found in the Let's Encrypt blog: https://letsencrypt.org/2024/04/25/guide-to-integrating-ari-into-existing-acme-clients/

domrim avatar Feb 04 '25 13:02 domrim

https://github.com/dehydrated-io/dehydrated/pull/959

BtbN avatar Feb 11 '25 00:02 BtbN

I agree, this feature should be added. While I don't agree that it's a solution to the expiration e-mails, and you are running dehydrated in a cron or sleep loop anyway to renew at <=32, I think it's a solution for revocation that happens CA side.

For example, in 2020 Let's Encrypt had to revoke approximately 3 million certificates due to not properly validating CAA records. In 2024 DigiCert had to revoke 83,000 certificates due to a bug in their CNAME-based DCV.

Both of these Certificate Authorities support ARI for their ACME servers. If dehydrated supported in, in the event one, or many of your certificates was affected and subsequently revoked, ARI would of sent a shorter expiration date and the certificate would of been renewed within whatever time frame you cycle your dehydrated. This process would of been completely automated in the background and resolved itself, rather than users having to check if their certs are affected and issuing a manual forced renew.

GTAXL avatar May 31 '25 11:05 GTAXL