ACME Posts

Let’s Encrypt ran their first annual mass revocation drill, shortening ARI renewal windows across 3 million production certificates. Here’s what happened.

Certbot solved certificate issuance. It’s great at that. The hard part is everything that happens after: getting the certificate file to every server that needs it, in the right format, with the right permissions, and confirming each one is actually serving it. Nobody handed you a solution for that.

When a CA has to revoke hundreds of thousands of certificates on a short deadline, email notifications aren’t enough. ARI is the protocol that lets the CA tell your client directly: renew now. Here’s how it works, and why most ACME clients can’t actually respond in time.

CertKit now polls Let’s Encrypt multiple times a day to check when each certificate should renew. That means mass revocations happen automatically, without you doing anything. We also added support for 6-day certificates for environments where 90 days isn’t short enough.

Certbot ran. The logs show success. Exit code 0. LinkedIn found out the hard way that renewed and deployed are not the same thing. The verify step is the part of certificate automation nobody builds until after the outage.

Most teams “automate certificates” by installing an ACME client and calling it a day. Then they still ship an outage because the hard parts were never automated: knowing what exists, keeping validation safe, and verifying what’s actually being served.

Your nginx doesn’t need to understand ACME. Your mail server doesn’t need DNS credentials. Your VPN appliance can’t even run CertBot. They just need a certificate file. CertKit handles validation centrally and lets your servers subscribe to certificates.

The CA/Browser Forum set 47-day certificates as the target for 2029. Let’s Encrypt decided to implement it a year earlier. Here’s their roadmap and what it means for your automation.

Every service you onboard wants proof you control your domain. Most want your DNS credentials to automate that proof. There’s a better approach: CNAME delegation lets you authorize a service once without handing over the keys to your entire zone.

A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questionable.

HTTPS went from 40% to over 90% of web traffic in a decade and the ACME protocol made that possible. But ACME solved certificate issuance, not certificate operations. Getting a cert is easy now. Getting it onto all your servers is still your job.

It started as 47 beautiful lines of bash. Now it’s a distributed certificate system built on thousands of command line incantations nobody understands, running on every server and some of the printers. If someone looks at it the wrong way, a certificate expires.