Skip to content

ARI - Add support for Mass Revocation#6953

Open
sim0n-v wants to merge 5 commits into
acmesh-official:devfrom
sim0n-v:patch-2
Open

ARI - Add support for Mass Revocation#6953
sim0n-v wants to merge 5 commits into
acmesh-official:devfrom
sim0n-v:patch-2

Conversation

@sim0n-v

@sim0n-v sim0n-v commented May 7, 2026

Copy link
Copy Markdown
Contributor

Ref:

ARI should support imminent renewal (renew in 24 hours, before revocation by the CA).

First option was to add support for ARI on issue() (see #6952).
I think it is better to simply update the $Le_NextRenewTime and $Le_NextRenewTimeStr when ARI "start" is in the past.

@sim0n-v

sim0n-v commented May 10, 2026

Copy link
Copy Markdown
Contributor Author

Hi there!

I came up with a better idea!

When the $Le_NextRenewTime is not in the suggestedWindow given by ARI, update the value with the same algorithm used after certificate issuance.

If you want to try this, copy the ACME Directory (e.g. https://acme-staging-v02.api.letsencrypt.org/directory), self-host the output and update the "renewalInfo" url to use your own ACME Renewal Info.

@sim0n-v sim0n-v mentioned this pull request May 14, 2026
Open
e-nomem
e-nomem reviewed May 16, 2026
View reviewed changes
Comment thread acme.sh Outdated
@neilpang neilpang requested a review from Copilot May 16, 2026 07:53
Copilot AI reviewed May 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds ARI (RFC 9773) handling in renew() to better cope with CA-driven renewal scheduling changes (e.g., mass revocation scenarios) by recalculating and persisting Le_NextRenewTime when the CA’s ARI window no longer matches the locally stored renewal time.

Changes:

  • Require both suggestedWindow.start and suggestedWindow.end before applying ARI logic in renew().
  • Compute ARI window bounds and update Le_NextRenewTime/Le_NextRenewTimeStr when the stored renewal time falls outside the CA-provided window.
  • Persist the updated next-renewal timestamps back into DOMAIN_CONF during renewal checks.

Critical Issues (Must Fix Before Merge)

  • The new ARI update condition performs -lt/-gt numeric comparisons on Le_NextRenewTime without ensuring it is present and numeric; this can error if the value is missing/corrupted and prevent applying the ARI window correctly.

Suggestions (Improvements to Consider)

  • None beyond the blocking issue above.

Good Practices (Points to Commend)

  • Uses existing helpers (_date2time, _math, _time2str, _savedomainconf) and matches the ARI window-picking approach already used elsewhere in the script.

Comment thread acme.sh Outdated
@sim0n-v

sim0n-v commented May 16, 2026

Copy link
Copy Markdown
Contributor Author

Hey,

acme.sh now displays explanationURL (see LE's guide, Step 4).

The ’explanationURL’ is optional. However, if it’s provided, it’s recommended to display it to the user or log it.

Printed in logs with _info and added in notifications.

@e-nomem e-nomem mentioned this pull request May 17, 2026
Open
e-nomem added a commit to e-nomem/acme.sh that referenced this pull request May 17, 2026
@e-nomem
Merge acmesh-official#6939 and acmesh-official#6953 with dev
3b1f3c8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@e-nomem e-nomem e-nomem left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sim0n-v @e-nomem