LetsEncrypt – Expiration Notification Service Has Ended

Posted by zdw 4 days ago

LetsEncrypt – Expiration Notification Service Has Ended(letsencrypt.org)

178 points | 136 commentspage 2

cosmodev 4 days ago|

I was using this with Certbot for 17 different domains it's a bit sad to see it go. I’m not even sure if I ever relied on the notifications, but just knowing it existed gave some peace of mind.

Jazgot 4 days ago||

This pushed me to automate certificate renewal for all my domains. This is much better than waiting for any kind of notifications, and it was very easy. I think this is a very good decision on their part.

toast0 4 days ago|

These emails were handy to detect when the automation failed.

tialaramex 4 days ago||

I strongly recommend building affirmative detection. A script which checks everything is OK and either tells everybody "Yeah, everything is OK" or "Here are the problems" means when, inevitably, that script doesn't fire, you don't get the false impression everything is OK.

All "silent success" detection systems will also silently fail and so they're worse than useless in my experience.

builtsimple 3 days ago||

This is a smart move. The amount of infrastructure complexity for what's essentially a band-aid for poor automation practices wasn't worth it. We migrated ~800 domains to LE back in 2019 and initially relied heavily on those expiration emails as a safety net. But honestly, they became more of a crutch than a help. Once we implemented proper monitoring with Prometheus + cert-manager, we haven't had a single cert expire unexpectedly. The privacy angle is interesting too. I hadn't considered how much PII they were sitting on just for this feature. With GDPR and similar regulations, that's a significant liability for what amounts to "your cron job didn't run" notifications. For anyone panicking about this: if you're still depending on email notifications for cert renewal in 2025, this is your wake-up call to implement actual monitoring. Even a simple bash script that checks cert expiry dates and posts to a Slack webhook would be more reliable than email notifications. Curious what their infrastructure costs actually were for this. "Tens of thousands per year" seems low for managing millions of emails, but I guess if it's just queuing jobs to an email service provider, that tracks.

nikolayasdf123 4 days ago||

is there a Slack bot for expiry checks?

general1726 4 days ago|

Write a lambda in some cloud provider framework and run it every 1 hour to 24 hours and if it finds expired certificate, it will use webhooks to send you a message on Slack or Gotify or whatever.

Or you can just periodically renew the certificate on server using Task Scheduler + win-acme or Cron and certbot.

nikolayasdf123 3 days ago||

haha, I was asking if somebody build that or recommends good open sourced version of exactly this

wordofx 4 days ago||

[flagged]

Timshel 4 days ago||

Yeah a list of emails is not similar to a db of email/certificate association ...

wordofx 4 days ago||

[flagged]

gleenn 4 days ago||

Sending single custom emails is much more effort than bulk-mailing a huge list operationally. Sending bulk can be accomplished by uploading a csv of emails to some enail bulk sender versus code to run at the correct time for the correct user... way easier in bulk and way cheaper

wordofx 4 days ago|||

It has nothing to do with complexity.

> Providing expiration notification emails means that we have to _retain millions of email addresses_ connected to issuance records. As an organization that _values privacy_, removing this requirement is important to us.

A mailing list. Is still retaining emails somewhere. Doesn’t matter if it’s stored in a text file on a usb drive in a vault. It’s still retaining an email list.

nulbyte 4 days ago||

I think the key part is what you didn't emphasize: "connected with issuance records." A list of email addresses is just a list of email addresses. A list of email addresses with domains over which the recipient has control is far more interesting data.

wordofx 4 days ago||

Irrelevant.

Y_Y 4 days ago|||

Is it truly much more difficult? At worst you could batch them by week and registered email, a one-liner can generate the list of destinations, and then you send that to your newsletter-sender-service and call the email "your cert is expiring next week".

szszrk 4 days ago|||

Of course it's more difficult.

You are talking of a volume of around 600 000 000 domains (based on a plot on their website) that try to renew at best after 8 weeks. And that's just default profile, there are 160h certs profiles now [0].

You think they will ever send nearly as much as (at least) 75 million newsletter mails weekly? Sendgrid's highest value in their pricing slider is 1,25 mil a week.

- [0] https://letsencrypt.org/docs/profiles/

leakycap 4 days ago|||

It is easy to think something like this is easy until you attempt to do it.

Are you really questioning a free SSL Certificate system when it says something is too complex and not worth it?

If you ever set up a free SSL before LetsEncrypt, you'd know they're amazing and you can trust them not to lie to you, especially about this where they've outlined the reasons clearly.

cbenskxk 4 days ago|

will email still be recuired for getting certs?

TonyTrapp 4 days ago||

I don't think it ever was? I never gave my email address to LetsEncrypt but I'm also not using their official client.

cpach 4 days ago||

Account registration is done by sending a public key to a certain API endpoint. The key will become associated with an account URL that looks like this: https://acme-v02.api.letsencrypt.org/acme/acct/4277968575

dizhn 4 days ago||

As far as I know. No.