Root Causes 318: What Is ACME Renewal Information (ARI)?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk today about ACME. We talk about ACME a lot, don't we?

• 

  Jason Soroko

  It's important. It's that big open protocol that allows you to get certificates from a CA and renew them and automate and it's great. We promote it. We use it. I've used it for my own sites and I think because it's an open standard, it’s had the tires kicked and it follows a lot of best practices, Tim. There's a lot of good things about ACME.

• 

  Tim Callan

  And there's widespread support. There's a lot of reliability. You can use ACME and it’ll work. So, ACME is wonderful. everything's hunky dory. It's absolutely perfect so there's nothing to say about ACME, Jay?

• 

  Jason Soroko

  Oh, I wish that was true.

• 

  Tim Callan

  Unfortunately not.

• 

  Jason Soroko

  Let's talk about, Tim, I think this podcast is really going to be about the elephant one of the elephants in the room and that's about renewal. Because, there's a ton of ACME clients out there. We all know and love certain ones. And the one thing that let's put it this way. The very first time I ever set up an ACME client myself, it was easy. It worked fantastic. I've used it against third party CAs, including our own company Sectigo. It works great. Of course, the question comes, well, I know I need to renew my certificate at some point in time. And I know that the agent, the ACME client that I'm using needs to be executed at a time in the future. How do I reliably set that time? And look, I don't think I'm different than a lot of people. I was in a Linux environment. And I set up a cron job and I basically let the Linux operating system fire off a pre-written command, which then I presumably would end up with a renewed certificate at a particular point in the future. And that's the way I did set it up in the past.

  Now, there's obviously a lot of other ways to do that. There's all kinds of IT tools to do things that are far better than a cron job. A lot more reliably things that can be monitored, hey, if there's a problem, if things had to back up, checking logs if there was an error. There’s all kinds of proper IT ways to do things. That's not really the topic here, Tim. I think what we're going to be talking about is what's going on in the ACME world to help out with renewals?

• 

  Tim Callan

  So there's a concept that's called ACME Renewal Information and oftentimes, people just refer to it as ARI. And ARI is supposed to build the concept of renewal into the ACME protocol. Because right now, that's not there. Right now, in ACME’s perspective, if I'm getting a new certificate for the exact same use case, the exact same domain, the exact same environment and server every 60 days into perpetuity, in ACME’s world, each of these is just its own independent event and ARI starts to introduce a little bit of a lifecycle concept into the ACME protocol.

• 

  Jason Soroko

  So, ARI as part of the ACME standard and as part of the ACME protocol, ARI would really need to be made aware and built into two places. Obviously, at the server side, and at the client side. So within pick your favorite ACME client of choice. I mean, there's a lot out there. Certbot is one that I've used a lot. So have many other people, but it also, ARI because of the fact that it's something, it's an interaction, it's not just a polling event from a server. It is an information exchange. You can request information from server from the client, and then receive that information and then do something with it. So therefore, it's the first time ACME is doing something from both sides, essentially.

• 

  Tim Callan

  And what are the advantages of this?

• 

  Jason Soroko

  I think the advantage, Tim, the way that I've read the standard if you do your favorite internet search on automated certificate management environment renewal information, ARI extension, that's I'm looking at right now at the IETF online document about this - Arin Gamble being the author, so shout out to Arin - when I look at this let's file this under Jay oversimplifies ARI. Because this podcast is for those of you who already know what ARI is, well, God bless you. For the rest of you this is my oversimplification.

  Basically, you as the consumer of a publicly trusted certificate, and you're using your ACME client of choice, Certbot being an example. If ARI were implemented, what you’d presumably be able to do is use the client to actually ask the server, hey, what is my renewal info and in fact, I believe the method being proposed here is called renewal info and that basically would be a command sent off on your behalf to the server by the client. And then the server would then come back to you and say, oh, here is your, I think it's gonna potentially to come back with two things that need to be parsed. And ultimately renewal info is going to be sent by via GET command, and then the URL response can be parsed. And that parsing of that information will give you hey, this is the renewal info. This is the renewal window in which you are either in or not in and so the client would need to parse that URL to determine what the window is, and then how to act upon it.

  And here's the oversimplified part. Part of the parsing procedure would then be, hey, am I within the renewal window, meaning, I have specified that I want to renew after 60 days, after 65 days, after 70 days. Yes, the servers will respond. You're renewal info will say to you, you are within the renewal window past the 60 days, or 65 days, or whatever it happens to be, and then the client can make a decision and go, oh, thank you for that information. I am now going to issue a renewal command through the ACME client and then use the standard ACME protocol to do a renewal function, which, of course, is not renewal because ACME doesn't really have a concept of renewal. This is the chicken and egg problem that it's trying to break is that it's renewal information, we're not really adding renewal concept into ACME as much as we are being able to configure a renewal window and be able to pull, hey, Mr. Server you know when my last cert was issued. Can you tell me when my renewal window is based off of that, and then the client not having to know anything can then act upon that information, Tim? That's what it's all about.

• 

  Tim Callan

  And so, I'm not sure so much that this is going to be a function of preventing outages due to renewal as it is just making life easier for the people who have to put together and administer and run these systems. Do you think that's right?

• 

  Jason Soroko

  I think it's right, Tim, in the sense that if you go back to my earliest example of using a cron job what happens with a cron job failed, or, the cron job has no knowledge of anything. That's very, very crude. At least now, right within the client itself, you're able to ask information from the server and say, hey, I am a brand new client. I don't know anything about anything. Can you please tell me whether or not I'm within the renewal window so that I can fire off a renewal command and not have to do my own timing. The server is going to provide that for me.

• 

  Tim Callan

  So in that sense, maybe I'm wrong. Maybe you're saying that there is a reliability gain that comes out of this. That there is less likely to be an error or a flaw or an unfortunate missed renewal that occurs.

• 

  Jason Soroko

  I think that is a side effect of it and I think that's a useful way of thinking about it, Tim is at least it's something that needs to be configured. You can obviously screw up the configuration. So, that's why I hesitate to say reliability because reliability means perfect information. This still needs to be configured and if you screw up the configuration, then you're in trouble. But, on the other hand, it's certainly better than nothing, and some people may choose to use it.

• 

  Tim Callan

  And that’s true in any automation situation. If you screw up the configuration, you're in trouble. That's sort of the nature of the beast of automation.

• 

  Jason Soroko

  That is the nature of the beast of automation. Now, we're not hearing a ton of people having problems. That's the thing. So and I think that ARI is a nice to have, but it's a really nice to have. And that's the way I think I'd put it. And again, that's oversimplified. Some people might say otherwise and I'm happy to live in a world with a whole pile of opinions, but we just wanted to explain what this thing is.

• 

  Tim Callan

  And it's also very early days, and I get the impression - again, I don't have hard numbers to put behind this, but I get the impression that adoption of ARI at this point is extremely scarce. And I think we're looking at something that we're going to see a trend. I think this is going to become much more common. I also think we've got spotty support in terms of the systems and the software you would need that knows how to use it and I think we should look to see this one tracking up over time and as that happens, this ARI becoming a reliable part of your IT toolkit, just like your more basic set of ACME commands are today.

• 

  Jason Soroko

  Exactly. So stay tuned. Wherever you're getting your certificates from, if you're using ACME, this topic will come up. For those of you who have fully managed ACME configurations, where you've got external IT tools that are helping you, hey, maybe you don't need this. But for those of you who are working with more crude types of tools, this could be useful.

• 

  Tim Callan

  All right. Well, there you go. That's ACME Renewal Information, aka ARI. Thank you very much, Jay.