Added

• ACME Renewal Info (ARI) support. https://datatracker.ietf.org/doc/draft-ietf-acme-ari/ certbot renew will automatically check ARI when using an ACME server that supports it, and may renew early based on the ARI information. For Let's Encrypt certificates this will typically cause renewal at around 2/3rds of the certificate's lifetime, even if the renew_before_expiry field of a lineage renewal config is set a later date.

Changed

• Switched to src-layout from flat-layout to accommodate PEP 517 pip editable installs
• acme.client.ClientNetwork now makes the "key" parameter optional.
• Deprecated acme.challenges.TLSALPN01Response
• Deprecated acme.challenges.TLSALPN01
• Deprecated parameter alpn_protocols from acme.crypto_util.probe_sni
• Deprecated acme.crypto_util.SSLSocket
• Deprecated acme.standalone.TLSServer
• Deprecated acme.standalone.TLSALPN01Server
• Deprecated parameter enforce_openssl_binary_usage from certbot.ocsp.RevocationChecker.
• Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer versions of the cryptography Python package. Python 3.9.2+ is still supported.

Fixed

• Order finalization now catches orderNotReady response, polls until order status is ready, and resubmits finalization request before polling for valid to download certificate. This conforms to RFC 8555 more accurately and avoids race conditions where all authorizations are fulfilled but order has not yet transitioned to ready state on the server when the finalization request is sent. It also respects retry-after when polling for finalization readiness.
• The --preferred-profile and --required-profile flags now have their values stored in the renewal configuration so the same setting will be used on renewal.
• Fixed an unintended change introduced in 4.0.0 where renew_before_expiry could not be shorter than certbot's default renewal time. If the server does not provide an ARI response, renew_before_expiry will continue to override certbot's default. However, an early ARI response will override a later renew_before_expiry time, to account for notifications in case of certificate revocation, especially with the impending deprecation of OCSP (https://letsencrypt.org/2024/12/05/ending-ocsp/). To force a later date, users can replace certbot's default cron job and/or systemd timer with one of their own timing.

More details about these changes can be found on our GitHub repo.