Wow, this is quite the news, I will paste it here so it remains as history (received it as mail recently):
Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us. We will be ending this service on June 4, 2025. The decision to end this service is the result of the following factors:
Over the past 10 years more and more of our subscribers have been able to put reliable automation into place for certificate renewal.
Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us.
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.
Providing expiration notifications adds complexity to our infrastructure, which takes time and attention to manage and increases the likelihood of mistakes being made. Over the long term, particularly as we add support for new service components, we need to manage overall complexity by phasing out system components that can no longer be justified.
For those who would like to continue receiving expiration notifications, we recommend using a third party service such as Red Sift Certificates Lite (formerly Hardenize). Red Sift’s monitoring service providing expiration emails is free of charge for up to 250 certificates. More monitoring options can be found here.
While we will be minimizing the email addresses we retain connected to issuance data, you can opt in to receive other emails. We’ll keep you informed about technical updates, and other news about Let’s Encrypt and our parent nonprofit, ISRG, based on the preferences you choose. You can sign up for our email lists below:
What do you personally think about this, we failed as individuals to offer support? I think such warning emails were very important for many small organizations, I can’t tell how many times it saved my skin in small orgs where I was the one responsible for https support not to tell how handy it was to all of us.
I get email reminders but because I get so many emails (and have renewal scripts) I just never really paid attention to them. They’d be more useful if they were sent when a cert expired imo
Reading their announcement I feel that it is not problem with amount of money, it is operational problem, and they simply prefer to move that funds elsewhere. Looking at list of their sponsors I doubt that the money is the issue there.
@AstonJ@hauleth guys I understand you compleltey, but this points to a bigger problem, how we about address that before it becomes too late. I think the way it was started was perfect, let’s try to keep internet open, because it affects all of us. As stupid as it sounds, this is one of the biggest threats I’ve seen on OSS.
I only had to do this once and just set up a calendar event with reminders 2 weeks before and then another one, 1 week before.
And as Aston said, there are scripts to auto-renew (I didn’t pursue this).
What did we “fail” as a community to support? They offered it for free, people took it for free, now they complain that it’s either too expensive, too troublesome, or both. They decide to cut the free email reminders but keep their core offer intact which is still free and super valuable. What’s the big deal?
I’m just relieved to know that I’m not the only one who hasn’t bothered to add this to cron I don’t have it set up to do it with zero downtime and there is a psychological factor of having control over/being “present” for the downtime. This should give me the kick I need to just to automate it, though.
Honestly no matter what the reason is, it’s one less place in the web where we don’t have to keep our email addresses on the server side and that’s always a good thing especially that many of us don’t even have to do anything about it if automated scripts are working already. Also half year should be more than enough for others to prepare for it.
I have multiple sites setup with let’s encrypt and every one has auto renewal setup, but still sometimes the mail saved me when that renewal failed for some reason. So for me this is not a good evolution.
Certbot auto-setups auto-renew on debian and / or ubuntu hosts nowadays, I think I did not have to setup auto-renew myself since 2018.
If I recall correctly it runs everyday but as a dry run before it enters in a 19 day to expiration period where it actually does the renewal, so if something goes wrong you have 19 days to fix it.
@D4no0 would your SSLMoon product be able to check and warn for certs that come close to expiry ?
If you have a straight forward set-up you should be able to set up a simple cron job that runs certbot renew twice a day.
Alternatively you could set up your own script to check whether you are nearing expiry, then set it to email you on failure - or just get the script to fail if you have cron to email the server admin on failure of any cron jobs. In this case you could use something like this:
#!/bin/bash
# Read the domain from user input or set it as a variable
domain="elixirforum.com" # Replace with your domain or pass it as an argument
# Path to the certificate file
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
# Check if the certificate file exists
if [[ ! -f "$cert_file" ]]; then
echo "Certificate file not found: $cert_file"
exit 1 # Fail with a non-zero exit code
fi
# Extract the expiration date of the certificate
expires=$(openssl x509 -enddate -noout -in "$cert_file" | cut -d= -f2)
# Convert the expiration date to a timestamp
expires_timestamp=$(date -d "$expires" +%s)
# Get the current timestamp
current_timestamp=$(date +%s)
# Calculate the number of seconds in two weeks (14 days)
two_weeks=$((14 * 24 * 60 * 60))
# Check if the certificate expires in less than two weeks
if [[ $((expires_timestamp - current_timestamp)) -lt $two_weeks ]]; then
echo "The SSL certificate for $domain expires on $expires. Please renew it soon!"
exit 1 # Fail with a non-zero exit code
fi
# If everything is fine, exit with success
exit 0
Please note this is untested! I used DeepSeek to help me convert parts of my old Ruby script to Bash.
Yep, that is already implemented and it can be extended to also check for certificates expiration in the chain, even though that is a more common case for big corporations/governments where they have custom chains of certificates. The notification part is yet to be implemented, but that is trivial.
Technologically I know it’s easy, I think certbot even features a daemon that does this automatically these days.
The main concern I want to point is that this is as @Hermanverschooten said, a negative evolution. If we talk about operational costs, how much it costs to keep a server that sends those expiry emails? 10$/month? make it 100$. We as developers know that development of such a platform is a few days at most of solo work.
I fear that this is just a begging to letsencrypt vanishing from the map forever. This will also sign to the fact that internet will be in full control of corporations, which is not something I look forward to.
That is the problem here. It is not just hosting a server, you also need to:
monitor it
secure it
store email addresses somewhere (securely as it is PII)
monitor its reputation
manage DKIM/SPF
setup GDPR policy and have GDPR officer responsible for reacting to breaches
So it became more and more complex. It is simple if you do it as a toy, not if it is for a large endeavour like LE. Also, with such email service you may create unfounded trust that LE will always remind you about expiration dates, while there is no such contract or obligation on LE side. If you want to ensure that your certificates are always viable, then you need to setup monitoring on your own anyway. So that LE messages only cause problems for LE in my opinion, for no real gain.
You are completely right! I worked too much in startups where people just whack stuff in production, I forget sometimes that people do things properly .
I am not against having localized services for this, I just hope that signed certificates will not become a burden endeavor like it is currently to publish an application on android/ios, it’s really horrible.
This is an interesting thread. I’ve been using Let’s Encrypt since it came out and I don’t know if I’ve ever looked at an email from them.
Let’s Encrypt has always had an automated offering - it’s one of the key principles that was mentioned in the original announcement. certbot (originally letsencrypt) has always been able to automate the process without messing with cron or anything. I just used it a couple days ago to add a new cert to a server, and it’s the same process it’s always been - just run certbot, add the new domains, and that’s it, forever. The only difference today is that it’s distributed via snap on Ubuntu, for better or worse.
To me, this thread just leads me to believe that they’d be better off spending whatever money they use for emails on informing users about how to automate the process.
I suppose if you aren’t running your own server maybe it’s not as straightforward? I don’t know how various app platforms handle it, but it seems like it should be easier, if anything. I’d be interested to know in what situations this can’t be easily automated.
Also, I’m not trying to do some “holier-than-thou” thing - I just genuinely am surprised by this. I also understand that the emails can be useful in some situations, but there are plenty of alternatives, which have been mentioned already. I’d be happy to help anyone with automating this - feel free to reach out!
not to tell how handy it was to all of us.
I don’t have it set up to do it with zero downtime and there is a psychological factor of having control over/being “present” for the downtime. This should give me the kick I need to just to automate it, though.
.
