JemmyLet's Encrypt Ending Support for Expiration Notification Emails
Jeena
letsencrypt.org/2025/01/22/ending-expiration-em…
Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us. We will be ending this service on June 4, 2025. The decision to end this service is the result of the following factors:
- Over the past 10 years more and more of our subscribers have been able to put reliable automation into place for certificate renewal.
- Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us.
- Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.
- Providing expiration notifications adds complexity to our infrastructure, which takes time and attention to manage and increases the likelihood of mistakes being made. Over the long term, particularly as we add support for new service components, we need to manage overall complexity by phasing out system components that can no longer be justified.
48 Comments
Comments from other communities
Dietpi has an automatic letsencrypt recert service which could probably be ported since its just a whiptail script
katy ✨
EbbyThose emails have warned me something was pooched in advance many times. I do find them useful.
Sad to see them go, but nice they mention an alternative.
themoonisacheesePretty much all monitoring solutions on the market track cert expiration nowadays. I get an alert when any of my certs have <5 days left
What monitoring solution do you use? I need to set something up for my own projects but haven't gotten around to it. Any experience with Nagios?
I set up uptime kuma to also monitor certs this week when I got the reminder email about them stopping the email warnings, been using it for some time for uptime monitoring (mostly to see if some auto docker image update screws up my services) and the notification parts has worked nicely for that, so I’m also assuming it will work nicely for the certificates
CosmicTurtle0I use NewRelic myself. They are software agnostic and only connect to your URL to get the expiration date.
If you set up LE correctly, it should never get an alert. I haven't been alerted since I set it up, to the point that I wonder if I set up the monitor correctly.
The only thing I wish it could do is use custom ports. I have some services running on non standard ports.
If you have the time to spare (a few weeks perhaps, if coming from zero) to experiment and read, Prometheus and Grafana offers a lot and can be really flexible. I use a pretty simple bash script that scrapes my desired https endpoints and writes out the results to a file Prometheus (node-exporter) understands, and from there I can write alert rules in Grafana to fire off notices by email or slack.
I’ve mainly gotten false positives, myself. When I’ve added another subdomain or something and the certificate gets set up differently, so then you get 2-3 emails saying domain X will expire, but if you connect to the url you see it has 80+ days left.
Setting up your own monitoring solution is probably long overdue for myself, and it’s nice I’m getting forced to do it, in a way
humble peat digger
EskueroI did setup UptimeKuma for notifications on this. let's see if it works out when the expiry arrives in a month
MaggiWuerzeI think I'll need to add notifications for my uptime kuma as well now. So far I've used it mostly for historical data but without the mails, I would like to get a notice
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year
Not doubting them, but I don't understand how that's possible.
Storing the email addresses and expiration dates takes an irrelevant amount of storage space, even if they had billions of cutomers.
Sending the emails should also not cost thousands, even if a significant amount of customers regularly let their certificates expire (which hopefull isn't the case).
So where are the tens of thousands of yearly costs coming from?
As with all things email, they probably really wanted to make sure that the mails were delivered and thus were using a commercial MTA to ensure that.
I'd wager, even at 20 or 30 or 40k a year, that's way less than it'd cost to host infra and have at least two if not three engineers available 24/7 to maintain critical infra.
Looking at my mail, over the years I've gotten a couple hundred email from them around certificates and expirations (and other things), and if you assume there's a couple million sites using these certs, I could easily see how you'd end up in a situation where this could scale in cost very very slowly, until it's suddenly a major drain.
If they send 2 emails per subdomain per year, that could easily be 10s of millions which would make the cost per email measured in thousandths of a cent. And I could see the number of subdomains being larger by a factor of 10, maybe more.
Another angle: someone with IT experience needs to manage the system that seems emails, and other engineers need to integrate other systems with the email reminder system. The time spent on engineering could easily add up to thousands per year, if not tens of thousands.
I'm guessing their figure is based on both running costs and engineering costs.
Evkob (they/them)According to their stats page, Let's Encrypt's certificates are used by around 500M domains.
ScrubblesSo sendgrid checking does 2.5M emails a month for $90/month, and if call them the Cadillac provider. More than that you have to contact sales, so I'm still wondering how it's that expensive to them
LuciTransactional email services are about $15 per 10,000 emails. I'll round down to $10 to consider b2b deals and let's just say it's $10,000 per year. That would be like idk 84k emails a month.
Keep in mind this doesn't consider the DB hosting and the processing of expiring emails and salaries, so yeah, I could see it.
Edit: before anyone yells at me. I can't math.
Not yelling, but pointing out, to people who also dont math, that if we assume $10 per 10k emails (or $1 per 1k, for simpler math), that’d be $84 for 84000 emails in a month, so you need to add another 0 to the figure (ie 840k emails in a month)
I just realized I have no idea who pays for Let's Encrypt. I just run the server commands, automate it, and move on.
Let's Encrypt is run by a non-profit (Internet Security Research Group), they list their major sponsors and funders on their website.
I think it's a good idea, everyone should be automating this anyway.
This is still not possible in all scenarios. For example, wildcard certificates for DNS providers with no API support.
Then swap you nameservers to a DNS provider that allows that?
There are a lot of embedded systems that do not offer API support to swap out certificates. Things like switches, dvr, nas devices, etc.
How are those devices affected by having no notification anymore? The manual labor exists anyway.
Most network switches and devices have a web gui to switch them out. Those can be automated.
rmukHonestly in rare situations that a device like that needs to be accessible from the wild Internet I think it'd be mad to expose it directly, especially if it's not manageable as you suggest. At the very least, I'd be leaning on a reverse proxy.
That implies though I don’t want valid certificates in my environment. I still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
IsoKieroValid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.
But then you have to distribute CAs to all the devices that will reach this service, and not all devices allow that.
still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
Is there a hard source with evidence that this is at all needed? Because there are a lot of things that "security departments" do that amount to security theater. Like forcing arbitrary password changes org wide.
Regardless of “hard evidence” it’s still the company policy. How well does it go over if you try to say “well acktuslly…” when it comes to password changes.
I'm with you, but that's why I'm automating certificate expiry checking somewhere else (in my home assistant install to be exact).
I manage all my certs using Cert Warden which has a dashboard that displays the expiry date. It does lack alerting, so I use Uptime-kuma to monitor the expiry dates of the certs. So not a big loss for me.
Mine just auto renews anyway
I think thats the case for most of us. But for some like myself, it does mean I have to do the monitoring myself now. I can't complain it was a free service. But it did warn me about a renewal problem before the cert expired, so it was a useful service for me.
Matt The HorwoodI have my home assistant check and also my nagios, better safe then sorry
KokeshI just wish I wouldn't have to renew certs so often.
If Apple gets their way, you'll be renewing every month:
Björn TantauYou're not supposed to do it manually.
My server does it automatically, but I have few services I can't make to read the certs from server storage, so I have to manually copy cert content. Especially Adguard Home for some reason refuses to read my certs.
Have the same problem. But symlinks or copying them via cron solved it for me.
Yes!
yes | cp -Lrf /etc/letsencrypt/live/..domain.../*.pem /var/snap/adguard-home/current
forbiddenlakeYou could use a reverse proxy to terminate tls, and take the tls off of ad guard itself.
Tell that to all the embedded device manufacturers… switches, appliances, nas, etc.
There’s a whole load of things that will have a massive administrative burden if the frequency is dropped.
jagged_circleHave you tried to automate it?
Fullchain.pem works. Privkey doesn't. I've tried chmod 777 (yes, I know, just testing) and still can't access the file.
IllecorsWhole path has to be accessible, not just the file itself. All dirs above the file need to have the executable bit set that affects the user accessing the file.
I know, but for some reason Adguard can read the fullchain, not privkey. Now it works.
_cryptagion [he/him]PSA: If you use Cloudflare to proxy, you can get a free decade long certificate and not worry about it for awhile.
Oh, look: the NSA dangling a carrot on a line.
Hey, if you wanna put your home server out there so the first person who gets pissy at you can DDoS you off the net until your ISP decides to cancel your service, that's a perfectly acceptable decision to make for yourself.
OP, can you please remove the four spaces preceding each paragraph in your post? That syntax is for code formatting. It triggers a monospace font and puts each paragraph into a single line, forcing readers into painstaking horizontal scrolling to be able to read each one. It's like trying to read a book through a keyhole.
Fixed it now, I didn't realize that the copy and paste had those spaces in front.
Thanks!
Could be your client. With Sync it properly word wraps, and for myself I actually find this font easier to read
My "client" is Lemmy's native UI, and is rendering it correctly according to markdown and html specs. If your client is wrapping it or using a variable-width font, then that's convenient for you in this case, but it's violating the spec. (This is somewhat common in mobile apps, so I guess you're reading on a phone.)
Sync markup/rendering is presently a semi-completed conversion from reddit's and it's functional *enough*.
It doesn't wrap in the default web interface.
And the default web interface should absolutely be our standard.
Yeah, I love Sync, but currently it's the last thing I would pick to set a standard
It is not the client, that it is actually how markdown works. Every markdown guide specifically tells to avoid this indentation because its meant for code blocks which by default do not wrap text lines.
They're talking specifically about the word wrapping. Note in their screenshot it is properly rendered in monospace code block font.
I know, clients not wrapping lines in codeblocks are also "rendering properly". Wrapping it's up to the client's parser, reason why I noted to use the aproppriate syntax regardless.
If it was actually code that isn't the correct behavior. Code doesn't line wrap, because line breaks mean something in most languages, so introducing virtual line breaks causes confusion.
Readable on Voyager as well.
EDIT: Not to say it looks good, but it's readable.
The syntax colouring, really doesn't help though. Standard font looks better for text blocks than a code block.
Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us. We will be ending this service on June 4, 2025. The decision to end this service is the result of the following factors:
Over the past 10 years more and more of our subscribers have been able to put reliable automation into place for certificate renewal.
Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us.
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.
Providing expiration notifications adds complexity to our infrastructure, which takes time and attention to manage and increases the likelihood of mistakes being made. Over the long term, particularly as we add support for new service components, we need to manage overall complexity by phasing out system components that can no longer be justified.
Much easier to read
Ah thanks for pointing it out, I fixed the formatting.
Well that kind of sucks. I wish they had more tutorials about how to automate then because if you're not using http-01 via certbot due to port 80 being blocked, which if you're on a residential line it's pretty common, so then you have to use dns-01 and manual hooks which isn't exactly clear for and documented well.
Is that mostly for ISPs running CGNAT?
What manual hooks? All the systems I've used LE certs in have supported fully automatic DNS challenges.
Can't speak for OP but they can't seem automate my network solutions DNS through plugins.
I don't know why in the hell they are such sticklers about wild card domains. Just let me off it on any working domain, hell, force me to author on this is my wildcard.Mydomain.com. the DNS authorization is an unnecessary
I mean that's just another item in the long list of reasons you should not be using Network Solutions.
You're not wrong, but they don't support quite a lot.
Their are multiple different way u can configure certbot to verify.
And DNS is the only one available for wild card and unless you're using a plug-in capable DNS service, They suck at it.
Sigh, yeah I know that and that's not the point I was making but sure.
If you use Caddy with ACME DNS, all of this can be automated.
If you also use Cloudflare, you can do that + traffic routing with cloudflared without any need for port forwarding .
Using nginx with certbot and duck DNS and I ended up using the manual option with a authentication, clean up, and post bash scripts and then final script that I called from chron job that called the scripts every three months.
Just from a beginning user of let's encrypt, and while a software developer I'm not versed in backend development, and I found the documentation to be a bit hit or miss, understandable with a plethora of open source projects. Using certbot, because that's the rabbit hole let's encrypt first send you down, the documentation while available isn't easy to navigate in my opinion and it took me a while to track down the variables used to pass down the text and the bulk examples found were all using http-01.
I just think that if your not someone with a background in tech, just wanting to get a server to and running with ssl following a bunch of other tutorials and guides, it could be a bit better to get adoption.
Change is hard, I get it, if this change is upsetting, I'd personally figure out the automation piece. it took me a bit but after getting it going it's rock solid. If using Linux of some flavor, acme.sh works really well.
It's not just figuring out the automation. If they don't have a plug-in for your DNS provider, and you need a wild card, that automation gets kind of dicey.
Agreed.
For us the mitigation is to do a little monitoring with alerts set to start casually at 29 days out and enter critical 13 days out (out from expiry).
I'll end up with a nagios alarm with an x509 check
Deleted by moderator
It's more than needing a reminder: Let's Encrypt Certs are valid for a maximum of 90 days before they need to be reissued. Doing this 4 times (or more) a year, for years on end will be tedious and error prone.
Most tools that request and install Let's Encrypt Certs automatically do this without the need for human interaction (30 days prior to the expiration) . Actually, they work so well you don't notice the "behind the scenes work" that's happening.
The problem is when this renewal process "stop working". I'd been using Let's Encrypt for years w/o problems, but eventually the client I was using wasn't updating and it was using a deprecated Let's Encrypt API. Ultimately, the cert stopped updating, but I got the email reminder from Let's Encrypt and I was able to fix it w/o a disruption.
Now, this was just a server for personal use. So if the SSL cert expired, it would not be the end of the world. Plus, I would have gotten a bunch of SSL errors the next time my client was trying to sync data, and I probably would have dropped everything to fix it. But the email reminder was a *convenient* feature, which allowed me to fix it whenever I had time.
That said, if Let's Encrypt wants to save some money for their *free service*, I'm certainly not going to complain (although I will miss it).
I scheduled a doctor's appointment recently and they were confused when I opted out of SMS notifications. They were shocked when I whipped out my calendar to type the appointment in. 😅
do you not automate the renewal of your certificates?
the only time I've ever gotten the expiring cert emails is after i decommission a service that had certificates and no longer renew it.
They don't support my DNS provider and they don't support my web server.
Automated the web server isn't very hard automated the DNS providers are royal pain in the ass.
I think yeah, most people don't use calendars.My wife doesn't even use one at work.
My dad though started using it after I implemented audible announcements of them in Home Assistant. He normally doesn't use his phone or computer much, but this way anywhere he is in his house he is reminded 90min before the event and then at the event again. With this he never misses appointments at doctors and so on anymore. That was what pushed him to use a digital calendar, every missed appointment costs quite some money.
I use uptime kuma to check my certificate isn't going to expire.
Also tells me if any of my services are down.
Uptime kuma's pretty nice for such a light duty package
Yup it's great
Deleted by author
I think uptime Kuma can be configured to look for expiring certs
I actually think it's set by default. If there's a cert it gives you the expiration.
It’s twoo, it’s twoo
Oh no, the free service is going to make you put a reminder on your calendar.
Novel concept, how about they let me pay them to remind me.
Needs a [sic] in there.