Yes Certify The Web got draft 03 support at the start of May 2024, we had an implementation of the old draft before that released in May 2023. We implement per-certificate renewalInfo checks twice per day (we also do OCSP checks at the same time) and replaces CertID support.
- Posh-ACME also has work in progress ARI draft 03 Support but that's not yet released: https://poshac.me
- Tailscale uses ARI but I can't see if they have updated to draft 03, presumably they will if they haven't already.
For those implementing ARI, things to watch out for include:
- an invalid replaces certID (wrong format, not the current cert id, previous cert is issued from a different CA etc) will cause the order to error with a Conflict status code [this response could vary between implementations]. Catch your errors and consider skipping "replaces" if you've had a few repeated failures, otherwise you could end up in a self imposed denial of service by way of an unforeseen combination of circumstances.
- when checking for renewal info, obviously be prepared for it to go very wrong, so that it doesn't derail any other processes.
- the ARI spec doesn't provide a way for CAs to indicate their respective implementation version, so as a result it's not really practical to support multiple versions of the spec.
- and in general, always assume your users will not upgrade their client version until their certificates are literally expiring due to a new problem. Consider whether having a direct way to contact users might be necessary in your case. Let's Encrypts service implementation changes fairly frequently and subtle changes can have an unanticipated impact which is specific to your implementation or users context.