Let's Encrypt Posts

Let’s Encrypt ran their first annual mass revocation drill, shortening ARI renewal windows across 3 million production certificates. Here’s what happened.

Certbot solved certificate issuance. It’s great at that. The hard part is everything that happens after: getting the certificate file to every server that needs it, in the right format, with the right permissions, and confirming each one is actually serving it. Nobody handed you a solution for that.

When a CA has to revoke hundreds of thousands of certificates on a short deadline, email notifications aren’t enough. ARI is the protocol that lets the CA tell your client directly: renew now. Here’s how it works, and why most ACME clients can’t actually respond in time.

CertKit now polls Let’s Encrypt multiple times a day to check when each certificate should renew. That means mass revocations happen automatically, without you doing anything. We also added support for 6-day certificates for environments where 90 days isn’t short enough.

Certbot ran. The logs show success. Exit code 0. LinkedIn found out the hard way that renewed and deployed are not the same thing. The verify step is the part of certificate automation nobody builds until after the outage.

Your nginx doesn’t need to understand ACME. Your mail server doesn’t need DNS credentials. Your VPN appliance can’t even run CertBot. They just need a certificate file. CertKit handles validation centrally and lets your servers subscribe to certificates.

The CA/Browser Forum set 47-day certificates as the target for 2029. Let’s Encrypt decided to implement it a year earlier. Here’s their roadmap and what it means for your automation.

IT teams keep buying certificates from DigiCert and Sectigo because free feels risky. But the assumptions behind that trust are a decade old. Let’s Encrypt now secures 64% of the web, is funded by Google and AWS, and uses the same encryption as your $500 certificate. The real question isn’t whether free is good enough. It’s whether you’ve examined your objections lately.

A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questionable.

HTTPS went from 40% to over 90% of web traffic in a decade and the ACME protocol made that possible. But ACME solved certificate issuance, not certificate operations. Getting a cert is easy now. Getting it onto all your servers is still your job.