Add config option to disable ARI

This may be temporary until ARI is more mature

acmeissuer.go

@@ -461,7 +461,7 @@ func (am *ACMEIssuer) doIssue(ctx context.Context, csr *x509.CertificateRequest,
 	// between client and server or some sort of bookkeeping error with regards to the certID
 	// and the server is rejecting the ARI certID. In any case, an invalid certID may cause
 	// orders to fail. So try once without setting it.
-	if !usingTestCA && attempts != 2 {
+	if !am.config.DisableARI && !usingTestCA && attempts != 2 {
 		if replacing, ok := ctx.Value(ctxKeyARIReplaces).(*x509.Certificate); ok {
 			params.Replaces = replacing
 		}

certificates.go

@@ -103,6 +103,7 @@ func (cfg *Config) certNeedsRenewal(leaf *x509.Certificate, ari acme.RenewalInfo
 		logger = zap.NewNop()
 	}
 
+	if !cfg.DisableARI {
 		// first check ARI: if it says it's time to renew, it's time to renew
 		// (notice that we don't strictly require an ARI window to also exist; we presume
 		// that if a time has been selected, a window does or did exist, even if it didn't
@@ -149,7 +150,7 @@ func (cfg *Config) certNeedsRenewal(leaf *x509.Certificate, ari acme.RenewalInfo
 					zap.Time("renewal_cutoff", cutoff))
 				return true
 			}
-
+		}
 	}
 
 	// the normal check, in the absence of ARI, is to determine if we're near enough (or past)

config.go

@@ -149,6 +149,10 @@ type Config struct {
 	// EXPERIMENTAL: Subject to change or removal.
 	SubjectTransformer func(ctx context.Context, domain string) string
 
+	// Disables both ARI fetching and the use of ARI for renewal decisions.
+	// TEMPORARY: Will likely be removed in the future.
+	DisableARI bool
+
 	// Set a logger to enable logging. If not set,
 	// a default logger will be created.
 	Logger *zap.Logger
@@ -451,7 +455,7 @@ func (cfg *Config) manageOne(ctx context.Context, domainName string, async bool)
 
 		// ensure ARI is updated before we check whether the cert needs renewing
 		// (we ignore the second return value because we already check if needs renewing anyway)
-		if cert.ari.NeedsRefresh() {
+		if !cfg.DisableARI && cert.ari.NeedsRefresh() {
 			cert, _, err = cfg.updateARI(ctx, cert, cfg.Logger)
 			if err != nil {
 				cfg.Logger.Error("updating ARI upon managing", zap.Error(err))
@@ -888,7 +892,8 @@ func (cfg *Config) renewCert(ctx context.Context, name string, force, interactiv
 			// if we're renewing with the same ACME CA as before, have the ACME
 			// client tell the server we are replacing a certificate (but doing
 			// this on the wrong CA, or when the CA doesn't recognize the certID,
-			// can fail the order)
+			// can fail the order) -- TODO: change this check to whether we're using the same ACME account, not CA
+			if !cfg.DisableARI {
 				if acmeData, err := certRes.getACMEData(); err == nil && acmeData.CA != "" {
 					if acmeIss, ok := issuer.(*ACMEIssuer); ok {
 						if acmeIss.CA == acmeData.CA {
@@ -896,6 +901,7 @@ func (cfg *Config) renewCert(ctx context.Context, name string, force, interactiv
 						}
 					}
 				}
+			}
 
 			issuedCert, err = issuer.Issue(ctx, useCSR)
 			if err == nil {
@@ -1246,9 +1252,11 @@ func (cfg *Config) managedCertNeedsRenewal(certRes CertificateResource, emitLogs
 		return 0, nil, true
 	}
 	var ari acme.RenewalInfo
+	if !cfg.DisableARI {
 		if ariPtr, err := certRes.getARI(); err == nil && ariPtr != nil {
 			ari = *ariPtr
 		}
+	}
 	remaining := time.Until(expiresAt(certChain[0]))
 	return remaining, certChain[0], cfg.certNeedsRenewal(certChain[0], ari, emitLogs)
 }

handshake.go

@@ -582,7 +582,7 @@ func (cfg *Config) handshakeMaintenance(ctx context.Context, hello *tls.ClientHe
 	}
 
 	// Check ARI status
-	if cert.ari.NeedsRefresh() {
+	if !cfg.DisableARI && cert.ari.NeedsRefresh() {
 		// we ignore the second return value here because we go on to check renewal status below regardless
 		var err error
 		cert, _, err = cfg.updateARI(ctx, cert, logger)

maintain.go

@@ -136,7 +136,7 @@ func (certCache *Cache) RenewManagedCertificates(ctx context.Context) error {
 		}
 
 		// ACME-specific: see if if ACME Renewal Info (ARI) window needs refreshing
-		if cert.ari.NeedsRefresh() {
+		if !cfg.DisableARI && cert.ari.NeedsRefresh() {
 			configs[cert.hash] = cfg
 			ariQueue = append(ariQueue, cert)
 		}