Log in Subscribe
News

Let's encrypt switching from emails to ACME Renewal Information (ARI)

Let's Encrypt is about to end its email notification service to remind about expiring TLS certificates. Read on to find out why and what is the alternative.

Simar Mann Singh
· 3 min read
Let's encrypt switching from emails to ACME Renewal Information (ARI)

Introduction

For all websites, TLS Certificate management is a crucial aspect of maintaining a secure online presence. These TLS certificates are essentially a Cryptographic key pair which is used in encrypting all the information people share online. And as you can imagine, the cost of obtaining a TLS certificate from a third party company like DigiCert can range from a few hundred to thousands of dollars. For this reason, some time back, a nonprofit Certificate Authority by the name Lets Encrypt was founded with the vision of securing the online world by providing free TLS certificates. Today, so many of famous companies like CNET, Automattic, Techradar, and ZDNet use TLS certificates generated by LetsEncrypt.

Reason for Change

Every time a TLS certificate is issued by the Lets encrypt, it is valid only for a period of 3 months. And so, 20 days before the period is about to expire, certificates are renewed by the customer. The issue was, that Let's Encrypt had to maintain a database of millions of website customers and had to send multiple emails, like reminder emails before the certificate expiry, account login from an unknown location, and so on. In any company, this translates to sending millions of emails every day and storing and maintaining all that data which costs Let’s Encrypt tens of thousands of dollars per year. Hence, Let's Encrypt decided to end the service on June 4, 2025.

Let's Encrypt analyzed this and has now introduced a new tool - the ACME Renewal Information (ARI) system to improve the efficiency and reliability of certificate renewals. This enhancement provides a structured approach for handling renewals while ensuring compliance with rate limits. By integrating ARI into ACME clients, developers can streamline the renewal process and mitigate risks associated with expired certificates.

Integration ARI

The first step in the integration process is determining whether the Certificate Authority (CA) supports ARI. This can be done by checking for the presence of an renewalInfo endpoint in the CA's directory object. If this endpoint exists, it confirms ARI support, allowing developers to proceed with implementation.

Ideally, ARI should be seamlessly integrated into the existing renewal process without disrupting the ACME client’s lifecycle. For sure, this requires identifying the best point in the workflow to fetch renewal information and ensuring that it aligns with other certificate management functions.

Each certificate requires a unique identifier, referred to as the ARI CertID. This ID is constructed using a combination of the certificate’s Authority Key Identifier (AKI) and its Serial Number. These values are base64 URL-encoded and concatenated with a period, creating a distinct identifier that the system can refer to when requesting renewal information.

Requesting Suggested Renewal Window

Once ARI is supported and properly integrated, the next step is fetching the suggested renewal window. The renewalInfo endpoint provides a JSON object containing start and end timestamps, which define the optimal renewal period. Clients should select a specific time within this range to initiate the renewal, following the best practices outlined in the ARI draft.

To take full advantage of ARI’s benefits, including exemption from rate limits, ACME clients must include a replaces field when placing a new order. This explicitly signals that the renewal is being performed within the recommended timeframe, ensuring a smoother process with fewer restrictions.

Conclusion

Before the Let's Encrypt's email notification service ends on June 4, 2025, switching to ARI can be beneficial. From an efficiency point-of-view, Integrating ARI into existing ACME clients enhances the efficiency, reliability, and compliance of certificate renewals. By following the structured steps outlined above, developers can automate the renewal process more effectively while reducing disruptions caused by expired certificates. As Let's Encrypt continues to refine and improve its services, embracing these innovations ensures a more secure and stable internet for everyone.

For further information, feel free to read the original article published at LetsEncrypt.

Ending Support for Expiration Notification Emails
Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us. We will be ending this service on June 4, 2025. The decision to end this service is the result of the following factors: Over the past 10 years more and more of our subscribers have been able to put reliable automation into place for certificate renewal. Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records.
Let's Encrypt

Related Articles

featureImage for blog post on How to configure NGINX as reverse proxy with TLS

How to configure NGINX as reverse proxy with TLS

· 7 min read
Mullvad's plan for future: discontinue OpenVPN

Mullvad's plan for future: discontinue OpenVPN

· 2 min read