Let's Encrypt Is Ending Expiration Notice Emails (arstechnica.com) 13
Let's Encrypt will stop sending expiration notice emails for its free HTTPS certificates starting June 4, 2025. From the report: Let's Encrypt is ending automated emails for four stated reasons, and all of them are pretty sensible. For one thing, lots of customers have been able to automate their certificate renewal. For another, providing the expiration notices costs "tens of thousands of dollars per year" and adds complexity to the nonprofit's infrastructure as they are looking to add new and more useful services.
If those were not enough, there is this particularly notable reason: "Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us." Let's Encrypt recommends using Red Sift Certificates Lite to monitor certificate expirations, a service that is free for up to 250 certificates. The service also points to other options, including Datadog SSL monitoring and TrackSSL.
If those were not enough, there is this particularly notable reason: "Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us." Let's Encrypt recommends using Red Sift Certificates Lite to monitor certificate expirations, a service that is free for up to 250 certificates. The service also points to other options, including Datadog SSL monitoring and TrackSSL.
Yeah anybody using letsencrypt got the notice (Score:3)
Yeah anybody using letsencrypt got the notice already!
I couldn't care less because any sane cronjob will send you an email for failed renewals.
Apart from reducing load on their infrastructure, they are probably doing it to avoid their outgoing SMTP servers to get on DNS based blacklists since sending emails is really a negligible load on our own infrastructure.
That being said, we avoid sending emails as much as possible unless really required. For example, the "out in vacation" automatic replies some organizations send is a good way to get on blacklists since they can be be used in amplification attacks.
Amplification attack? (Score:3)
How can a vacation auto-responder be used for an amplification attack? Any good one will reply to at most one sender, and it won't reply to that same sender for a few days to a week. And of course you should never auto-respond to anything that fails SPF or DKIM or looks otherwise dodgy, or is itself an automated message.
But yeah, sending mail, especially large volumes of automated mail, is a pain.
Re: (Score:2)
Yeah, this probably could be done right but we just redirect the mail to people in vacation to somebody else so a human replies thus eliminating all use case risks.
Gated community mentality is not reassuring (Score:3)
From the RedSift.com web site:
To find out why Let's Encrypt has endorsed Red Sift, sign up for an exclusive discussion with the Executive Director of Let's Encrypt, Josh Aas, and CEO and Co-Founder of Red Sift, Rahul Powar.
Translation: Since Let's Encrypt values your privacy, they (for whatever reason) recommend you use a 3rd-party notification service that won't post any information publicly, so you have to create an account to know what you're getting yourself into.
I hate the modern Internet.
Alternative open source certificates monitoring (Score:1)
I use my own Certwatch [github.com] open source certificates monitoring tool.
It works with any certificates provider (not only Let's encrypt), any protocol (not only HTTPS) and several certificates issues (not just expiration).
I use it both for my personal domains and for our 5500+ company's domains. No need to use any third party service or one of the very expensive tools available on the market...
And I'm open to discuss potential additional features, if needed...
What is going on? (Score:2)
Re: (Score:2)
I just got one such emails, and I don't understand why. I've been using Let's Encrypt since their inception (a decade ago?) and never received any mail from them. Renewal is automatic. So why an email now ? Does that mean the auto-renewal will stop ? Reading the email is not clear.
That means your certbot has never failed to renew because of DNS problems or other issues. Count yourself lucky. For those of us who have come within three or four weeks of missing the 90-day window, this feature was a lifesaver. And now, when it eventually fails, I'm just not even going to fix it. The TLS site will stop working, and people can use HTTP.
Fed up doesn't begin to cover my reaction.
And thus, we reach peak enshittification (Score:2)
As though pushing people to more and more abusively short terms weren't enough, now they're not even going to tell us when we're about to have our sites go down because of those short terms.
Can we PLEASE get back to a sane universe where cheap or free multi-site certs have year-long expiration dates so that TLS will stop being the essence of hell for small site admins? Because at this point, I'm going to turn off TLS on my sites the second it stops working, which statistically speaking will be within a ye
Re: (Score:3)
If you self-host, it's not difficult to automate renewal: https://www.baeldung.com/linux... [baeldung.com]
If you use hosting services, they usually provide that service. Here's an example: https://www.plesk.com/extensio... [plesk.com]