ACME, ARI, and Surviving 47-Day Certificates
The public certificate lifecycle is collapsing. From 200 days today, to 100 days in March 2027, to 47 days in March 2029. The era of "renew once a year, put it in the calendar" is over. This is a practical guide to the automation stack that replaces it — and the monitoring you still need on top.
The Shrinking Certificate Lifespan
Under CA/Browser Forum Ballot SC-081, the maximum public TLS certificate lifetime is collapsing on a fixed schedule. By 2029, manual issuance is operationally impossible:
Why the Lifetime Cuts Happened
Three things drive shorter certificate lifetimes, and they're all rational:
Revocation doesn't work
Browsers stopped honouring OCSP and CRLs years ago because they break load-time UX. The only reliable revocation is "wait for the cert to expire" — so shorter certs shrink the revocation window.
Shorter compromise blast radius
A stolen private key in 2025 was useful for up to a year. In 2029 it's useful for 47 days.
Automation is now mature
ACME has been a proven, IETF-standardised protocol (RFC 8555) since 2019. The infrastructure exists to renew daily if needed.
ACME: The Protocol You're Already Using
ACME (Automated Certificate Management Environment, RFC 8555) is the protocol between your server and a CA. Let's Encrypt invented it; everyone now uses it. BuyPass, Google Trust Services, ZeroSSL, AWS Private CA, Cloudflare, Sectigo, and Microsoft Azure Key Vault all expose ACME endpoints.
The handshake, step by step
Modern clients do all of this in one shell command and a cron entry — but under the hood, every issuance and renewal runs the same loop:
Order
Your client creates an account key and asks the CA for an order covering one or more hostnames.
Challenge
The CA returns authorizations with challenges for each hostname you want to certify.
Validate
You prove control by serving an HTTP file (HTTP-01) or publishing a DNS record (DNS-01); the CA validates it.
Issue
You submit a CSR and the CA issues the certificate, signed by its intermediate.
Install
The client writes the cert and key, then runs a deploy/reload hook so the server serves it gracefully.
Auto-renew
A timer or daemon repeats the loop before expiry — following the ARI window when available.
Picking a client
| Client | Best For | ARI Support |
|---|---|---|
| certbot | Default Linux server, Apache/nginx plugins | Yes (2.9+) |
| acme.sh | Pure shell, lightweight, many DNS plugins | Yes (3.0+) |
| lego | Go binary, single static binary, scripting | Yes |
| step-cli (Smallstep) | Internal CAs, mTLS, short-lived certs | Yes |
| Caddy / Traefik | Reverse proxies with built-in ACME | Yes |
| cert-manager | Kubernetes | Yes (1.13+) |
HTTP-01 vs DNS-01: Pick One
Both challenges prove you control a hostname — they just put the proof in a different place:
The CA gives you a token; you serve it at http://yourhost/.well-known/acme-challenge/<token>. Easiest possible setup.
- Nothing to configure beyond a web root
- No wildcards (
*.example.com) - No hosts behind a private network
The CA gives you a token; you publish a TXT record under _acme-challenge.
- Works for wildcards
- Works for hosts that aren't publicly reachable
- Needs API access to your DNS (Cloudflare, Route53, DigitalOcean, deSEC, etc.) and the matching client plugin
ARI: The New Renewal Signal
ACME Renewal Information (ARI), standardised as RFC 9773 in 2025, is the most important addition to the protocol since launch. Before ARI, clients renewed on a fixed schedule — usually at two-thirds of the certificate lifetime. That was fine for predictable 90-day Let's Encrypt certs, but it breaks down for short-lived certs and especially for emergency rotations.
What ARI does
The CA exposes a per-certificate endpoint that returns a JSON object containing a
suggestedWindow — the earliest and latest times your client should
renew. The client polls the endpoint, and renews when it falls inside the window.
GET /acme/renewal-info/<cert-id>
200 OK
{
"suggestedWindow": {
"start": "2026-06-01T00:00:00Z",
"end": "2026-06-08T00:00:00Z"
},
"explanationURL": "https://letsencrypt.org/docs/incident-..."
}Why it matters
- Mass-rotation events become safe. When a CA needs to revoke a batch of certificates (e.g. an incident, a key-ceremony rotation), it can advance the suggested window for affected certs. Your client renews automatically. The only reason you'd know an incident happened is the email.
- Load is spread. The CA returns staggered windows, so renewals don't pile on identical schedules every 60 days.
- It's free and lossless. Even if ARI is unavailable, the client falls back to its default schedule. There's no downside to enabling it.
Let's Encrypt has supported ARI in production since 2024. Google Trust Services, Sectigo, and Smallstep enabled it through 2025. Make sure your client is recent enough to use it.
MPIC: What Changed in Validation
Multi-Perspective Issuance Corroboration (MPIC) became mandatory under the CA/Browser Forum Baseline Requirements in March 2025. CAs must now validate domain control from at least two geographically diverse network perspectives, with a third for high-risk issuance.
For most users this is invisible. For two groups it matters:
- Self-hosted DNS with regional anycast quirks — if your
_acme-challengepropagation is uneven, MPIC will flag the mismatch and the order fails. Use a robust DNS provider and verify propagation before calling the CA. - Internal/split-horizon DNS — if your public DNS returns
different records depending on source, expect validation to fail from at least
one perspective. Don't split-horizon the
_acme-challengename.
A Real-World Setup (nginx + certbot + DNS-01)
# Install
sudo apt install certbot python3-certbot-dns-cloudflare
# Cloudflare API token in ~/.cloudflare.ini (chmod 600)
dns_cloudflare_api_token = <token-with-Zone:DNS:Edit>
# Issue
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.cloudflare.ini \
-d example.com -d '*.example.com' \
--preferred-challenges dns-01 \
--agree-tos --email security@example.com
# Auto-renew (certbot.timer is installed by default on most distros)
systemctl status certbot.timer
# certbot honours ARI automatically from 2.9+; renew is safe to run hourly
sudo certbot renew --deploy-hook "systemctl reload nginx"That handles issuance and renewal. The hard part is catching the failures that don't page you — expired API tokens, rate-limits during bulk rotations, CAA drift, hijacked challenge paths, and renewals that succeed on disk but never reload the server. The "don't assume" column below covers each one.
Independent Monitoring: Why You Still Need It
Automation removes manual work. It doesn't remove failure modes — it just changes which ones occur. The cardinal sin of certificate operations is trusting the automation. Run independent monitoring, and don't assume a green renew job means a green served certificate:
- Hit your host over TCP and read the actual served certificate.
- Alert at 14, 7, 3, and 1 days before expiry.
- Cover every public hostname — including the ones nobody documented.
- Watch Certificate Transparency logs for unexpected issuance.
- Test the full chain, not just the leaf.
- That a renew job which succeeded actually reloaded the server — the reload hook is the most common silent failure.
- That an expired or revoked DNS API token will page you — the job logs and exits quietly.
- That a CAA record still lists your CA — audit changes to CAA.
- That a new app on the same host didn't hijack
/.well-known/acme-challenge/. - That your DNS provider won't rate-limit you during a bulk-rotation event — stagger renewals.
Quick Reference Checklist
- Modern ACME client with ARI support (certbot 2.9+, acme.sh 3.0+, lego, cert-manager 1.13+)
- DNS-01 challenge configured with API access to your DNS provider
- Renewal job runs hourly (or via daemon mode)
- Deploy/reload hook reloads the server gracefully on renewal
- CAA record restricts issuance to your chosen CA(s)
- Independent external monitoring of every public hostname
- Renew job failures alert on the next failed run, not at expiry
- CT log monitoring for unexpected issuance on your domain