As announced in https://letsencrypt.org/2025/12/02/from-90-to-45.html, LE will decrease the default certificate lifetime from 90 to 45 days. Timeline:
- May 13, 2026: Let’s Encrypt will switch our tlsserver ACME profile to issue 45-day certificates. This profile is opt-in and can be used by early adopters and for testing.
- February 10, 2027: Let’s Encrypt will switch our default classic ACME profile to issuing 64-day certificates with a 10-day authorization reuse period. This will affect all users who have not opted into the tlsserver or shortlived (6-day) profiles.
- February 16, 2028: We will further update the classic profile to issue 45-day certificates with a 7 hour authorization reuse period.
Work to do on acme-chief side:
- Support ACME Renewal Information (ARI) to auto-detect when acme-chief should renew a certificate instead of the current hardcoded timedelta of 30 days.
- Support ACME profiles so we can opt-it to 45 days in certain services and test that everything works as expected before the mandatory switch
acme-chief dependencies support
- ARI support has been introduced earlier this year in python3-acme, relevant commit is https://github.com/certbot/certbot/commit/723fe64d4dbc778f1e8fd0b93320c1a30dc6fa95
- pebble (LE test server) 2.7.0 supports both ARI and ACME profiles
- ACME profiles aren't supported yet by python3-acme