Posted by zdw 2 days ago
> Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.
Appreciate the honesty (they had other reasons, too! but emails are a pain and expensive at their scale)
That's the point
LE just isn't interested in maintaining such a service. Sending them money won't make them interested all of the sudden; that money can be spent better on setting up an independent free alternative.
"Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us."
A check to cover the cost of the system would not solve this part of the problem.
Its not only the service cost, but as they say, it costs engineering hours, which could be spent elsewhere.
Moreover, SSL cert age check should be something you're looking out for, or letting certbot restart your service for you.
Because companies are for profit usually and any donation they make reduces that profit. That's why open source projects that can offer service contracts, have a easier time getting money from the buisness world, because this is something bookkeeping people understand in the corporate language.
> Why not?
Because I believe it is "sickening" expressing how "sickening (...) it is that large companies don't support open source/free initiative" when discussing one of the projects that do global-scale operations purely on corporate and personal donations. Somehow Let's Encrypt themself don't express that sickening in their blogs and websites. They do thank their sponsors, though.
I wanted to throw them some (of work's) cash, and... the only two options were "Sponsor", and "Donate". Sponsorship was, uh, wrong for my use-case: it starts at some multiple-thousands of dollars. Donating would be the obviously correct choice, but putting something marked "donation" onto a corporate card would occasion a... Weird conversation, in which "you could have got this for free, but you're choosing to send them money?" would likely have been raised. I went with free, and was sad about it.
Yes, corporate expectations and affordances around FOSS should change - and, I probably could have persuaded my employer that a few dollars a month for Let's Encrypt was the Right Thing To Do, so I'm a little bit of a coward - but LE would make it so much easier if there was a Send Us Money option that looks like a fee for service, rather than a donation. (Maybe being a 501c(3) precludes that? I don't know.)
There's the "Corporate doesn't understand FOSS" problem, but there's also a "FOSS doesn't speak Corporatese" obstacle there, too.
In the end I sent LE $20, or something, of my own money (I've had years of trouble-free use on my media server, and should have before), but they'd have had $5 / month of work's cash for years if they'd made that easier to do.
https://www.youtube.com/watch?v=VTY-lQ3S1gw
You could instead frame it as a payment for your dependency on the future existence of the FOSS you are using for free.
I still can't find proper data on their financials, but at least below report (page 42) says only 10% of their revenue is donations. And 48% out of total spending is LE.
Or hey maybe they could charge for these expiration notifications.
Pushover is $5 once for personal use, ntfy.sh can be completely self-hostable if you prefer.
I have written a small tool which utilizes pushover for these reasons.
You can receive the notifications on your browser/mobile for free afterwards.
So it's even work if you don't have control about the le client.
And worse of all, worry about Apple and Google's arbitrary rejections?
This seems far more costly than email. Just having one dev keeping those apps going, is likely 20x or more than their email costs per year.
It's a valuable service for the average person to get these emails without having to set up separate monitoring
"Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us."
Now there is no contact information associated with issuance records.
But it was obviously valuable enough for them to be doing it for over a decade
I remember it being helpful to me personally when I was using LE when it first came out
Publishing all SSL certs for domains is kind of worse than some random email.
(But also, even if they could avoid this somehow: the entire point of a public CA is to publish end entity certificates. The “I want a public certificate while keeping a subdomain secret” model was never particularly coherent.)
I dont need cert transparency either. I just needed encryption... Which a self-signed would be fine. But the internet powers that be deem self-signed as 'evil'. And more webtech requires SSL (like you, websockets). Can't even use it locally without SSL.
Paying $x00 for a SSL from some commercial vendor is laughable these days, unless you need a code cert or a onioncert.
Not really: we learned a hard lesson decades ago that encryption isn’t especially meaningful unless you know who you’re encrypting to. Self-signed certificates are the classic “your communications are secure, but you’re talking with satan” example.
As others have said: if you want to keep a specific subdomain label out of CT, you can issue a wildcard certificate instead. But the Web PKI as a whole is correct in not letting you do encrypted communication with a service without having some established notion of that service’s identity.
If you don't want the certificate to be in the CT logs, your only options are a private CA or things like CF Origin certificate, depending on how the domain is intended to be accessed.
It's not the end user that "needs" CT, it is a mechanism to ensure no shady CA can misissue a certificate without being caught. Requirements like that are written in blood (see Symantec).
Self-signed certificates don't actually provide useful encryption, since they are trivially MITM-able.
> For those who would like to continue receiving expiration notifications, we recommend using a third party service such as Red Sift Certificates Lite (formerly Hardenize). Red Sift’s monitoring service providing expiration emails is free of charge for up to 250 certificates. More monitoring options can be found here.
Yet it was still valuable to find those that fell through the cracks. At work, the emails prevented a couple of outages by expired cert, because a dev that left was renewing them by hand and we only found out when they left and the catch-all started to bubble them up to support.
Things fall through the cracks, or people are in a pinch and just forget to add the cert to the in-house monitoring system. The emails were a wonderful failsafe.
I wish I could just query LE to tell me all existing certain where the account is under my domain name. Extremely helpful to assemble a SBOM.
That said, I never had issues with certbot on Arch Linux, and I have been using it for a really long time.
Since Arch Linux is bleeding-edge, it does not diverge from latest version. :D
I can see the use in a tool that will scan all certificates configured in local web servers and monitors for close expiration dates, though. Not just Let's Encrypt, but also any other ACME accounts and certificate directories you may need. The biggest challenge would probably be dealing with encrypted certificate files, and after that getting email set up correctly. Nobody seems to have made it because it's so easy to script or add to a pre-existing monitoring system, so this could be a fun open source project. You probably can't use the letsencrypt brand name, though.
#!/usr/bin/env bash
cert_check() {
server=$1
host=$2
port=$3
str=`ssh "$server" "echo | openssl s_client -servername $host -connect localhost:$port | openssl x509 -noout -checkend 604800"` || true
if ! echo "$str" | grep -q 'Certificate will not expire' ; then
echo "$str" | ./send-email.py "Certificate \"$host\" on $server will expire in 7 days" \
fi
}
cert_check name myserver.com 443I don't begrudge people writing a tool to learn, but it should be noted that this wheel has already been invented:
* https://github.com/matteocorti/check_ssl_cert
* https://exchange.nagios.org/directory/Plugins/Security/check...
You revoke a certificate when you believe that it might have been compromised. Expiring certificates helps protect you when you've unknowingly been compromised.
So let's say that one of your employees accidentally pushed a private key for one of your certificates up to GitHub and you notice it. That's when you should immediately rotate that certificate and revoking the old one.
Now let's say that the same thing happened but you didn't notice. That's where the certificate expiring comes into play. For a Lets Encrypt certificate there's currently going to be a maximum of 90 days where someone could find that private key and work out a way to exploit it, after that period the certificate would have expired and no longer be being used.
If I had compromised the Bank of America servers a couple of minutes would suffice to collect a ton of password combinations.
Improvements can be changes to cryptographic algorithms, like "Don't use SHA-1" or to the nuances of the certificate document like "Don't use this X509 feature" or to the CA infrastructure like "Don't issue certificates for names which don't exist".
Shortened certificate lifetimes improve agility by bringing forward that horizon. We can say "Stop doing X by August" tomorrow, and by Christmas 2026 there are no trusted end entity certificates which relied on X. A few years ago that took 3-5 years, at the turn of the century it was more than a decade and we repeatedly paid a price for that.
Risk of private keys/certificates from old backup media being leaked (remembering the adobe password leak...) and then suddenly coming back online and working until someone figures out how to revoke them
It also helps with things such as change of ownership so after a certain period of time you can have the peace of mind that certs potentially issued by the previous owners are not lingering around as active (I understand things such as revoking and pinning can help with this too but It's nice to have a plain time based expiry too).
Especially domain wide certs which need DNS auth.
DNS auth would be okish if it was simply tied to a txt entry in the DNS and valid as long as the txt entry is there. Why does LetsEncrypt expire the cert while the acme DNS entry is still there? Which attack vector does this prevent?
Also, why not support file based auth in .well-known/acme-challenge/... for domain wide certs? Which attack vector does that prevent?
That's like saying "why does the government expire my passport/driver's license when I haven't changed my name". That's not how it works; the document is stamped valid for a specific amount of time, and you get a new document with a new expiration time when you renew it.
The certificate from LE will expire automatically 90 days after it was provided, that's why you need to renew it before the 90 days are up.
If you hate setting up automated certificate renewal, you can still get longer-lasting certificates from paid certificate providers. It used to be that you needed to pay a company to generate a certificate for you every year, now you just get the option to have a free one every 90 days.
> Also, why not support file based auth in .well-known/acme-challenge/... for domain wide certs
An ACME challenge file on a web server proves that you control a specific server at a specific domain, so you get a certificate for a specific domain.
A DNS entry proves you control the entire domain, so you (can) get a certificate for the domain.
By uploading a file to tekmol.freewebhost.com, you haven't proven that you control either .freewebhost.com or .tekmol.freewebhost.com. You have just proven that you control tekmol.freewebhost.com.
Not for much longer, the maximum lifetime of a public certificate will progressively go down to 47 days by March 2029.
I took the easier route and let Cloudflare generate and handle certs for my domains. I’m on the free tier. I secure traffic between them and my host with an origin cert. By default those are valid for 15 years.
I know CF is frequently criticised around here, but wanted to mention it as an option.
And it's not just Cloudflare; there are plenty of other redirect-everything-through-a-CDN hosts available. If you don't mind giving Cloudflare control of your website (and barring visitors from countries like India where CGNAT makes everyone fill out CAPTCHAs every page load), this approach will take care of just about everything.
I’ve been impressed with how much I get on the free tier (my sites are small). With the DDoS protections, rate limit, WAF rules, and Turnstile, it feels like I can keep a significant amount of abusive traffic from reaching my host. It’s a pretty compelling tradeoff for me, anyway.
By uploading a file to tekmol.freewebhost.com,
you haven't proven that you control either
.freewebhost.com
Now, I can definitely see there being a system where the owner of the root domain (eg, freewebhost.com) can set up something in their own .well-known directory that specifies that any subdomains can only declare certs for that specific subdomain, rather than being able to claim a wildcard, and then we can allow certs that sign wildcards in cases where such a limiter is not in place.
In any case, this would only solve the DNS auth hurdle, not the overall expiration hurdle.
solve the DNS auth hurdle, not the
overall expiration hurdle
> That's like saying "why does the government expire my passport/driver's license when I haven't changed my name". That's not how it works; the document is stamped valid for a specific amount of time, and you get a new document with a new expiration time when you renew it.
Similar schemes have been used in the past as a forcing function against tax evasion or simply to phase out less secure older bills.
But Let's Encrypt doesn't charge anything. All they want is to confirm that you still control the domain. So why doesn't "the DNS record they had you add to begin with is still there" satisfy that requirement and allow you to repeatedly renew the certificate until it stops being there?
Tie the DNS challenge to the public key in the certificate. Then as long as it hasn't changed you can update the certificate without giving the update process modify access to the DNS server.
Meanwhile how does a stolen scan of an identity document become invalidated by requiring a renewal? The new document is identical and even contains the same ID number. The only difference is the date which anyone could trivially alter with a computer. For that matter the only thing they need from the stolen ID is the name and number, so even if you completely redesign the layout of the ID, someone with the old one can recreate a scan of the new layout using only the information on the old stolen one.
The problem here is not that you need IDs to expire, it's that you need fools to stop trying to rely on a computer image of an ID to authenticate anything.
Quite a few IDs contain a 2D barcode, and I believe at least some of these contain some offline-validateable signature over the basic data of the document, including the expiry date. That's not as trivial to forge.
On top of that, document expiry does help a bit with people trying to use a lost/stolen ID of somebody they happen to look similar to, adds a forcing function to make people eventually upgrade to newer/more secure document standards etc.
Most government IDs don't have that, and it's still not clear what good it would be doing when data breaches happen on much shorter timescales than ID expirations. Who cares if they stop being able to use the ID after 10 years, when they can use them for 10 years and there will be another breach providing them with a new batch of IDs to use in a matter of days rather than years?
> On top of that, document expiry does help a bit with people trying to use a lost/stolen ID of somebody they happen to look similar to
That seems like an extremely narrow advantage. If they just need some ID that looks like them then they can just get another one from the batch of fresh ones. If they need the ID of a specific person, the government still isn't authenticating renewals, so wouldn't they just use the existing stolen ID and pay for a renewal in that case, in which case we're back the only thing happening being the government extracts money?
Or no, in that case it's worse, because then they can submit a fresh picture of themselves to renew the ID which has someone else's name on it.
> adds a forcing function to make people eventually upgrade to newer/more secure document standards etc.
Which you already have because everybody eventually dies.
The DNS plugins only matter if you're trying to automate updating the DNS entry. The whole point is that you could have certbot spit out a DNS TXT record for the user to manually add to their DNS once, e.g. which contains the public key fingerprint of the certificate they want Let's Encrypt to renew on an ongoing basis, and then certbot would be able to renew the certificate as long as the DNS record remains in place.
Good luck.
In my experience, it takes a little effort to set things up the first time, but from then on it just works.
And I'm sympathetic to the concerns that automating this type of thing is hard - many of the simpler DNS tools - which otherwise more than cover the needs for 90% of users - do not support API control or have other compromises with doing so.
That said, I do think LE's requirements here are reasonable given how dangerous wildcard certs can be.
That's on the DNS provider in my opinion. They can, if they want to, make things easy and automatic for their customers, but they choose not to. There's a whole list of provider-specific plugins (https://eff-certbot.readthedocs.io/en/stable/using.html#dns-...) with many more unofficial ones available (https://pypi.org/search/?q=certbot-dns-*). Generic ones, like the DirectAdmin one, will work for many web hosts that don't have their own APIs.
If you like to stick with whatever domain provider you picked and still want to use Let's Encrypt DNS validation, you can create a CNAME to another domain on a domain provider that does have API control. For instance, you could grab one of those free webhosting domains (rjst01.weirdfreewebhostthatputsadsinyourhtml.biz) with DirectAdmin access, create a TXT record there, and CNAME the real domain to that free web host. Janky, but it'll let you keep using the bespoke, API-less registrar.
I imagine you could set up a small DNS service offering this kind of DNS access for a modest fee ($1 per year?) just to host API-controllable CNAME DNS validation records. Then again, most of the time the people picking weird, browser-only domain registrars do so because it allows them to save a buck, so unless it's free the service will probably not see much use.
An attacker should not gain the ability to persistently issue certificates because they have one-time access to DNS. A non-technical user may not notice that the record has been added.
> Also, why not support file based auth in .well-known/acme-challenge/... for domain wide certs? Which attack vector does that prevent?
Control over a subdomain (or even control over the root-level domain) does not and should not allow certificate issuance for arbitrary subdomains. Consider the case where the root level domain is hosted with a marketing agency that may not follow security best practices. If their web server is compromised, the attacker should not be able to issue certificates for the secure internal web applications hosted on subdomains.
They wouldn't. As soon as the owner of the domain removes the TXT entry that ability would be gone.
(Which in general would be a good practise anyway, because many services do use domain validation processes similar to what you propose)
They will likely always be a pain and many aspects of Web security are cumbersome. It is simply a reflection of the fact that the Web, like e-mail, was not designed to be secure in the first place, being used in organisations where you can rely on trust. As a result the security stuff is just bolted on and often only in response to the previous solution failing. The previous layers stick around like zombie flesh until they are unceremoniously deprecated and cut away a decade later. A new system designed from scratch would be less cumbersome.
The solutions exist, depensa on the providers and your client.
$ curl https://example.com -vI --stderr - | grep "expire date"
* expire date: Jan 15 23:59:59 2026 GMT