Hey all, we've just dropped a point release for 2.11 which fixes an issue related to certbot/acme's josepy dependency specification.
For most users, you don't need to care about this. But if your project depends on certbot or acme v2.11, this will fix any issues you may have where pip incorrectly pulls in josepy 2.0 which contains breaking changes.
is it true that certbot doesn't support checking CRL's for revocation (and thus early renewal), only OCSP?
I can't find anything in the changelog or any relevant open/closed issues
if this isn't a feature currently, are there any plans to get it working before LetsEncrypt starts issuing CRL-only certificates?
That would mean Certbot would need to download the CRL, which could be quite large, ever so often.
Also, I don't know why you're posting in this thread? It's not related to this point release at all.. Please don't post offtopic. If you want to raise an issue, best to do it at the Certbot Github repo.
feels like the OCSP shutoff is being rushed if the LE people and the certbot people haven't even begun communication about it yet, it shouldn't be on randos like me to remediate this lack of communication, but I will call it out if I see it.
because of the thick cloud of uncertainty around this whole thing, I've already switched most of my certificates over to Google's ACME service (with LE for backup only) but for the benefit of others who may not even be aware of the situation, I'd like to call out the lack of communication here as a potential area of concern
looking around online I've seen a lot of people uncertain and apprehensive about what's going to happen to certbot as a result of this change, and the only good answer unfortunately seems to be "change ACME providers for now and monitor how the situation develops"
good luck, and don't shoot the messenger
I agree the Certbot team has not been forthcoming about their plans to address changes by Let's Encrypt. I doubt it is due to lack of comms as you surmise but one of priority at EFF. But I only guess as some rando 
The way forward for ACME Clients is to support ARI. It allows an ACME Server that support ARI (like Let's Encrypt) to inform the client when a cert should be renewed. This handles various cases: revoked certs, pending CA revocations, different cert lifetimes, and possibly other things like load leveling at the CA's servers.
I believe Certbot is planning on rolling out support for ARI this year. Other ACME Clients already include such support. To be clear, it is not necessary for ACME Clients to use CRL if they support ARI (which they should anyway).
For context on the original post – the acme package in Certbot 2.11 didn't pin josepy to "<2.0"; and 2.0 has major breaking changes. The number of clients using 2.11 are likely small, but that was the last release in the 2.x branch – so anyone pinned to certbot<3 would have issues.
The certbot team let me do those breaking changes, so I was worried this may have been my fault, and dug into things.