Let's Encrypt Is Ending Expiration Notice Emails (arstechnica.com) 47
Let's Encrypt will stop sending expiration notice emails for its free HTTPS certificates starting June 4, 2025. From the report: Let's Encrypt is ending automated emails for four stated reasons, and all of them are pretty sensible. For one thing, lots of customers have been able to automate their certificate renewal. For another, providing the expiration notices costs "tens of thousands of dollars per year" and adds complexity to the nonprofit's infrastructure as they are looking to add new and more useful services.
If those were not enough, there is this particularly notable reason: "Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us." Let's Encrypt recommends using Red Sift Certificates Lite to monitor certificate expirations, a service that is free for up to 250 certificates. The service also points to other options, including Datadog SSL monitoring and TrackSSL.
If those were not enough, there is this particularly notable reason: "Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us." Let's Encrypt recommends using Red Sift Certificates Lite to monitor certificate expirations, a service that is free for up to 250 certificates. The service also points to other options, including Datadog SSL monitoring and TrackSSL.
Yeah anybody using letsencrypt got the notice (Score:3)
Yeah anybody using letsencrypt got the notice already!
I couldn't care less because any sane cronjob will send you an email for failed renewals.
Apart from reducing load on their infrastructure, they are probably doing it to avoid their outgoing SMTP servers to get on DNS based blacklists since sending emails is really a negligible load on our own infrastructure.
That being said, we avoid sending emails as much as possible unless really required. For example, the "out in vacation" automatic replies some organizations send is a good way to get on blacklists since they can be be used in amplification attacks.
Amplification attack? (Score:4, Informative)
How can a vacation auto-responder be used for an amplification attack? Any good one will reply to at most one sender, and it won't reply to that same sender for a few days to a week. And of course you should never auto-respond to anything that fails SPF or DKIM or looks otherwise dodgy, or is itself an automated message.
But yeah, sending mail, especially large volumes of automated mail, is a pain.
Re: (Score:2)
Yeah, this probably could be done right but we just redirect the mail to people in vacation to somebody else so a human replies thus eliminating all use case risks.
Re: (Score:2)
Yeah, this probably could be done right
Not "probably could be", but "is". There's no autoresponders that are used in amplification attacks. Autoresponders send emails only to the original sender (so only email one address), they only send them after validating the sender (so no spamming the autoresponder), and they cool off and don't send repeated autoresponses.
If this could be used in amplification attacks there's be furore about it in the security world since these systems are pervasive and commonly used, and there isn't.
Re: (Score:2)
How can a vacation auto-responder be used for an amplification attack? Any good one will reply to at most one sender
Simple
1. There are too many bad ones
2. If not amplification, it is still often a nice reflector
Do not underestimate how incompetent a lot of set-ups are. Yes, it can be done right. No, it often is not.
Re: (Score:2)
I've never encountered such a misconfigured out-of-office autoresponder in the wild, and I ran an email security company for 19 years. And an ooo autoresponder would make a terrible reflector given that most limit replies to a given sender to one every few days.
The only out-of-control autoresponders I have encountered have been stupid ticketing systems; some of our clients would open a ticket in our system; they'd get an autoresponse, which their ticketing system would think was a *NEW* ticket and then au
Re: (Score:2)
That being said, we avoid sending emails as much as possible unless really required. For example, the "out in vacation" automatic replies some organizations send is a good way to get on blacklists since they can be be used in amplification attacks.
Outlook's out-of-office feature sends an autoreply only once for each sender. Does that count as amplification?
Re: (Score:2)
No, just as a reflector. Which you can still nicely use after amplification to have the blame and blacklisting happen there.
Re: (Score:2)
I couldn't care less because any sane cronjob will send you an email for failed renewals.
Same here. I mean, even a wget exist status on a test-page can probably (have not tested it) do it reliably and locally as wall as remotely.
But the thing here is, even "cron" is "deep magic" for many people and reading email and following simple step-by-step instructions is about the maximum in complexity of a task they can handle. Sure, people like that have no business running web-servers, but tell them that and they will not understand it. Dunning-Kruger Effect at work.
Gated community mentality is not reassuring (Score:4, Informative)
From the RedSift.com web site:
To find out why Let's Encrypt has endorsed Red Sift, sign up for an exclusive discussion with the Executive Director of Let's Encrypt, Josh Aas, and CEO and Co-Founder of Red Sift, Rahul Powar.
Translation: Since Let's Encrypt values your privacy, they (for whatever reason) recommend you use a 3rd-party notification service that won't post any information publicly, so you have to create an account to know what you're getting yourself into.
I hate the modern Internet.
Re: (Score:2)
Translation: Since Let's Encrypt values your privacy, they do not store any data of you anymore. If you choose to give your data to another service, you're free to do so. The rest of us may choose not to do it.
Re: (Score:3)
(for whatever reason)
What do you mean "for whatever reason"? The reason is clear. They value privacy and thus don't want to store associated identifying email details along with certificates and transmit the information unencrypted over email relays.
This is a good thing, and not a reason to hate the modern internet. They are literally making the storing of personal data opt-in and forcing that opt-in to happen with a cybersecurity firm rather than dealing with it themselves, i.e. let the experts handle it.
Re: (Score:1)
Alternative open source certificates monitoring (Score:2)
I use my own Certwatch [github.com] open source certificates monitoring tool.
It works with any certificates provider (not only Let's encrypt), any protocol (not only HTTPS) and several certificates issues (not just expiration).
I use it both for my personal domains and for our 5500+ company's domains. No need to use any third party service or one of the very expensive tools available on the market...
And I'm open to discuss potential additional features, if needed...
Re: (Score:3)
It seems to completely lack IPv6 support for a start, testing it against any IPv6-only site returns "No address associated with hostname", and testing it against a dual stack site only reports one legacy address even if there are several (eg round robin load balancing).
The Qualys SSL checker (which checks other things but also shows expiry times etc) tests all addresses that a site resolves to (eg it can identify an out of sync load balancer configuration): https://www.ssllabs.com/ssltes... [ssllabs.com]
There's a list of
What is going on? (Score:2)
Re: (Score:3)
I just got one such emails, and I don't understand why. I've been using Let's Encrypt since their inception (a decade ago?) and never received any mail from them. Renewal is automatic. So why an email now ? Does that mean the auto-renewal will stop ? Reading the email is not clear.
That means your certbot has never failed to renew because of DNS problems or other issues. Count yourself lucky. For those of us who have come within three or four weeks of missing the 90-day window, this feature was a lifesaver. And now, when it eventually fails, I'm just not even going to fix it. The TLS site will stop working, and people can use HTTP.
Fed up doesn't begin to cover my reaction.
Re: (Score:1)
And now, when it eventually fails, I'm just not even going to fix it. The TLS site will stop working, and people can use HTTP.
So it sounds like you don't really give a shit about your site, given the fact that most people will give up and stop visiting once they get the scary warnings, so why do you even bother with it? Might as well shut it down now, it's obviously got no significant value to you. You could even be nice and put up a farewell message directing people to alternatives rather than have them hi
Re: What is going on? (Score:2)
Re: (Score:2)
Actually no, most people will just click through the warnings.
Re: (Score:2)
It just means that your auto renewal is working. The emails have helped me a couple times years ago, when for whatever reason the certificate wasn't updating. More often though I'd get false positives when I'd add a subdomain to a certificate. This replaces the certificate with a new one, and you get the automated emails for the old certificate when it's ready to expire.
And thus, we reach peak enshittification (Score:3)
As though pushing people to more and more abusively short terms weren't enough, now they're not even going to tell us when we're about to have our sites go down because of those short terms.
Can we PLEASE get back to a sane universe where cheap or free multi-site certs have year-long expiration dates so that TLS will stop being the essence of hell for small site admins? Because at this point, I'm going to turn off TLS on my sites the second it stops working, which statistically speaking will be within a year or so.
I'm done with this. My site doesn't benefit from TLS even slightly, and the whole reason I'm using it is because of abuse from browser vendors who throw up bullshit warnings when you hit a non-HTTPS website — the same folks who then forced these painfully short durations by shutting down the only providers that made multi-domain cheap certs available with longer durations. And now the one semi-survivable cert provider is shutting down the key feature that made their service even remotely tolerable from my perspective.
Want to know what will finally kill the open web? It isn't Facebook or other locked-down sites. It is all the small website engineers finally throwing up their hands and saying, "I'm sick of this shit" and shutting down their sites, leaving only the walled-garden giants like Facebook left to do what that open infrastructure once did.
Re:And thus, we reach peak enshittification (Score:5, Informative)
If you self-host, it's not difficult to automate renewal: https://www.baeldung.com/linux... [baeldung.com]
If you use hosting services, they usually provide that service. Here's an example: https://www.plesk.com/extensio... [plesk.com]
Re: (Score:2)
The iussue with something like plesk is it managed its own cert renewal, but has this problem if your dns isn't run directly on plesk, where it can be interesting updating your dns host's nameservers (ionos, for example, doesn't have a remote way for the host system to change the ionos dns.) Plgins do exist for some providers, but not all of them
Re: (Score:2)
If you self-host, it's not difficult to automate renewal: https://www.baeldung.com/linux... [baeldung.com] If you use hosting services, they usually provide that service. Here's an example: https://www.plesk.com/extensio... [plesk.com]
I have automated renewal. It breaks randomly when adding new hosts, removing old hosts, changing DNS providers, and at various other random times. And because of the way certbot works, it doesn't give you a cert for the hostnames that work and skip the ones that fail. Instead, if one hostname breaks, it won't renew the cert for ANY host, so all your domains go down. While that is the right behavior up until the cert expires, it means that if things do go over that limit, all your sites are down until yo
Re: (Score:2)
If managing TLS certs is "hell" for you then you're doing something very wrong and should let a professional do the job. If you are "managing" certificate expirations with Lets Encrypt, STOP IT and learn to deal with the situation properly.
I'm done with this. My site doesn't benefit from TLS even slightly
This is a 2-for-1 display of incompetence. Firstly you're "done with this" shows you haven't used any of the basic automation processes that have been put in place. That's horrendous security practice. Secondly you think TLS is for the benefit of the site rather than the
Re: And thus, we reach peak enshittification (Score:2)
Re: (Score:2)
I'm sorry, but if you read my post just now and didn't understand that this entire process should be completely automated and hands off, and you should never require manual intervention on something you essentially need to do every 3 months, there's no way I can enlighten you any further. This is an intellectual journey you need to walk yourself.
Re: (Score:2)
certbot perchance? getssl?
I know plenty about this topic, but I'm always ready to improve. I'm looking for details, a little more depth of knowledge than a bit of light hand waving.
I'm still listening.
Re: (Score:2)
Peak enshittification is people throwing the word enshittification on everything they don't like.
Re: (Score:2)
It's not LE's job to notify you of your expiring certificate.
This is like blaming the supermarket because they didn't warn you that you were about to run out of milk...
Re: (Score:2)
The supermarket didn't engineer the expiration date of the milk.
Re: (Score:2)
Wow. If you take half an hour to set up automated renewals, you pretty much never have to think about it again. And just to be extra sure, set up a certificate-monitoring system (there are several you can host yourself including Xymon) to warn you if a cert is about to expire.
I set this up years ago for my domains and it works just fine.
Re: And thus, we reach peak enshittification (Score:2)
I'm not a fan of certbot, which is why I don't know.
Re: (Score:2)
You are really overstating the case. They are doing this because with short-validity certs they cannot really handle the email load. On the other hand, certificate revocation is broken and cannot be fixed. There really is no "enshittification" here. And you are completely free to send yourself email when cert renewal fails. In fact, you should do that anyways.
Re: (Score:2)
So continue to serve it over HTTP and throw it behind Cloudflare, problem solved?
Can we _please_ just redo/update DNS already? (Score:2)
This all is soooo clunky. Letsencrypt is a huge improvement, but it still is just a stop-gap for a system that's completely outdated to begin with. These protocols often are quite literally from the steam age of computing, and DNS and this SSL hack bolted on top of it sure is in the top 3 of those. These things are ancient and often streched way beyond their intended original purpose.
Why do I have to log into my host every 6 months to run a script? Or automate a script to run every 6 months? Why can't I jus
Re: (Score:2)
DNS does have DNSSec which addresses most of the security concerns, it's your fault if you don't use it.
Running a public facing server requires ongoing maintenance - security updates for instance, automating a script to renew a cert is the least inconvenient thing in the grand scheme of things. Sure you could buy a long-expiry cert and leave it untouched for a year but then what? you have a significant chance of getting the site infected with something and then used to propagate further nefarious activities
Re: (Score:2)
Can we just please redo DNS already? That would be great.
As soon as we finish redoing IP. We've been working on that for nearly 30 years and we're at least a decade away from finishing, so deploying a new-improved DNS everywhere should be done by about 2070.
Re: (Score:2)
You overlook that the whole cert revocation problem comes from machines that get broken into. The same problem would apply to your nice "keyset" and actually solve nothing.
query your own servers (Score:2)
You're welcome.
How do emails cost money? (Score:2)
Automated Warnings (Score:2)
I pasted this prompt into ChatGPT o3-mini...
Write a PowerShell script that will monitor a list of URLs and email a warning if any of their SSL certificates will be expiring within 14 days.
Problem solved in under a minute. Non-Windows users can replace PowerShell with whatever.
Check from cronjob (Score:2)
Here is a function that I use as part of a script that runs from cron every week.
The rest of renews the certificate if it has less than a certain of days remaining.
And it sends an email when the certificate is renewed
TS_LIMIT=22 # Number of days remaining before an autorenewal
log_msg() {
logger -t check_cert $0
}
check_cert_date() {
# List the Lets Encrypt certificates that are on this server
CERT_PATH=`certbot certificates 2>&1 | grep 'Certificate Path' | awk