Your Feature Request

RFC: https://datatracker.ietf.org/doc/rfc9773/

Blogs:

• https://letsencrypt.org/2025/09/16/ari-rfc
• https://letsencrypt.org/2024/04/25/guide-to-integrating-ari-into-existing-acme-clients
• https://letsencrypt.org/2023/03/23/improving-resliiency-and-reliability-with-ari

To implement this HAProxy should extract keyIdentifier from the cert, during an acme task make a http request for each key, parse the result, and check if it is a time to update certs, so probably will need to modify acme_will_expire func for this or make a similar function. More implementation details are in that second linked blog, selecting a time within a window is slightly complicated.
So basically HAProxy will get cert update window from the HTTP endpoint instead of calculating it based on the cert expiration date.

@wlallemand I probably will have a go at implementing this after I'm done with other acme stuff.

What are you trying to do?

ARI allows for the ACME server to have control over time at which certificate updates are scheduled.
Which is useful for mass revocations of certificates and to decrease load spikes on the ACME CA infra.
On Letsencrypt it also removes some rate-limits: https://letsencrypt.org/docs/rate-limits/#ari-renewals
From users perspective it doesn't add a lot, it is mostly an internal thing to make things more robust, but I'm sure people at Letsencrypt will be happy or something.

Output of haproxy -vv

v3.4-dev5