Implement ARI
mholt opened this issue · 2 comments
The ACME Renewal Information (ARI) spec might be starting to stabilize, and Let's Encrypt just announced that renewals complying with ARI will not be rate limited. That was my primary concern, was intentionally refusing service to clients especially during times of infrastructure strain when reliability is already questionable and the renewal window is narrowing.
This sets a good precedent going forward and hopefully other CAs who implement ARI will follow their example.
I still have multiple reservations regarding the philosophy behind ARI, but I think it's probably worth implementing, at least with some configuration, since the policies behind ARI can still vary between CAs. For example, a CA might offer ARI, but in a way that does not actually help you ensure reliability when you comply with it. CertMagic's implementation will balance site uptime with optional protocols.
Let's Encrypt has an article to guide the implementation of ARI. ACMEz, CertMagic's underlying ACME library, already supports the latest ARI draft, but CertMagic will need to keep track of state and do some polling and scheduling to make ARI happen for the user.
Tailscale Takeaways could be interesting to look at (BSD-3 license).