Certbot 4.1.0 Release

Certbot 4.1.0 has just been released. The changelog for the release is:

Added

• ACME Renewal Info (ARI) support. draft-ietf-acme-ari-08 - Automated Certificate Management Environment (ACME) Renewal Information (ARI) Extension
  certbot renew will automatically check ARI when using an ACME server that supports it,
  and may renew early based on the ARI information. For Let's Encrypt certificates this
  will typically cause renewal at around 2/3rds of the certificate's lifetime, even if
  the renew_before_expiry field of a lineage renewal config is set a later date.

Changed

• Switched to src-layout from flat-layout to accommodate PEP 517 pip editable installs
• acme.client.ClientNetwork now makes the "key" parameter optional.
• Deprecated acme.challenges.TLSALPN01Response
• Deprecated acme.challenges.TLSALPN01
• Deprecated parameter alpn_protocols from acme.crypto_util.probe_sni
• Deprecated acme.crypto_util.SSLSocket
• Deprecated acme.standalone.TLSServer
• Deprecated acme.standalone.TLSALPN01Server
• Deprecated parameter enforce_openssl_binary_usage from certbot.ocsp.RevocationChecker.
• Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer
  versions of the cryptography Python package. Python 3.9.2+ is still
  supported.

Fixed

• Order finalization now catches orderNotReady response, polls until order status is
  ready, and resubmits finalization request before polling for valid to download
  certificate. This conforms to RFC 8555 more accurately and avoids race conditions where
  all authorizations are fulfilled but order has not yet transitioned to ready state on
  the server when the finalization request is sent. It also respects retry-after when
  polling for finalization readiness.
• The --preferred-profile and --required-profile flags now have their values stored in
  the renewal configuration so the same setting will be used on renewal.
• Fixed an unintended change introduced in 4.0.0 where renew_before_expiry could not be
  shorter than certbot's default renewal time. If the server does not provide an ARI
  response, renew_before_expiry will continue to override certbot's default. However,
  an early ARI response will override a later renew_before_expiry time, to account for
  notifications in case of certificate revocation, especially with the impending deprecation
  of OCSP (Ending OCSP Support in 2025 - Let's Encrypt). To force a later date, users
  can replace certbot's default cron job and/or systemd timer with one of their own timing.

More details about these changes can be found on our GitHub repo.