Let's Encrypt Is Ending Expiration Notice Emails (arstechnica.com) 23
Let's Encrypt will stop sending expiration notice emails for its free HTTPS certificates starting June 4, 2025. From the report: Let's Encrypt is ending automated emails for four stated reasons, and all of them are pretty sensible. For one thing, lots of customers have been able to automate their certificate renewal. For another, providing the expiration notices costs "tens of thousands of dollars per year" and adds complexity to the nonprofit's infrastructure as they are looking to add new and more useful services.
If those were not enough, there is this particularly notable reason: "Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us." Let's Encrypt recommends using Red Sift Certificates Lite to monitor certificate expirations, a service that is free for up to 250 certificates. The service also points to other options, including Datadog SSL monitoring and TrackSSL.
If those were not enough, there is this particularly notable reason: "Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us." Let's Encrypt recommends using Red Sift Certificates Lite to monitor certificate expirations, a service that is free for up to 250 certificates. The service also points to other options, including Datadog SSL monitoring and TrackSSL.
Yeah anybody using letsencrypt got the notice (Score:3)
Yeah anybody using letsencrypt got the notice already!
I couldn't care less because any sane cronjob will send you an email for failed renewals.
Apart from reducing load on their infrastructure, they are probably doing it to avoid their outgoing SMTP servers to get on DNS based blacklists since sending emails is really a negligible load on our own infrastructure.
That being said, we avoid sending emails as much as possible unless really required. For example, the "out in vacation" automatic replies some organizations send is a good way to get on blacklists since they can be be used in amplification attacks.
Amplification attack? (Score:4, Informative)
How can a vacation auto-responder be used for an amplification attack? Any good one will reply to at most one sender, and it won't reply to that same sender for a few days to a week. And of course you should never auto-respond to anything that fails SPF or DKIM or looks otherwise dodgy, or is itself an automated message.
But yeah, sending mail, especially large volumes of automated mail, is a pain.
Re: (Score:2)
Yeah, this probably could be done right but we just redirect the mail to people in vacation to somebody else so a human replies thus eliminating all use case risks.
Re: (Score:2)
Yeah, this probably could be done right
Not "probably could be", but "is". There's no autoresponders that are used in amplification attacks. Autoresponders send emails only to the original sender (so only email one address), they only send them after validating the sender (so no spamming the autoresponder), and they cool off and don't send repeated autoresponses.
If this could be used in amplification attacks there's be furore about it in the security world since these systems are pervasive and commonly used, and there isn't.
Gated community mentality is not reassuring (Score:3)
From the RedSift.com web site:
To find out why Let's Encrypt has endorsed Red Sift, sign up for an exclusive discussion with the Executive Director of Let's Encrypt, Josh Aas, and CEO and Co-Founder of Red Sift, Rahul Powar.
Translation: Since Let's Encrypt values your privacy, they (for whatever reason) recommend you use a 3rd-party notification service that won't post any information publicly, so you have to create an account to know what you're getting yourself into.
I hate the modern Internet.
Re: (Score:2)
Translation: Since Let's Encrypt values your privacy, they do not store any data of you anymore. If you choose to give your data to another service, you're free to do so. The rest of us may choose not to do it.
Re: (Score:2)
(for whatever reason)
What do you mean "for whatever reason"? The reason is clear. They value privacy and thus don't want to store associated identifying email details along with certificates and transmit the information unencrypted over email relays.
This is a good thing, and not a reason to hate the modern internet. They are literally making the storing of personal data opt-in and forcing that opt-in to happen with a cybersecurity firm rather than dealing with it themselves, i.e. let the experts handle it.
Re: (Score:1)
Alternative open source certificates monitoring (Score:1)
I use my own Certwatch [github.com] open source certificates monitoring tool.
It works with any certificates provider (not only Let's encrypt), any protocol (not only HTTPS) and several certificates issues (not just expiration).
I use it both for my personal domains and for our 5500+ company's domains. No need to use any third party service or one of the very expensive tools available on the market...
And I'm open to discuss potential additional features, if needed...
Re: (Score:2)
It seems to completely lack IPv6 support for a start, testing it against any IPv6-only site returns "No address associated with hostname", and testing it against a dual stack site only reports one legacy address even if there are several (eg round robin load balancing).
The Qualys SSL checker (which checks other things but also shows expiry times etc) tests all addresses that a site resolves to (eg it can identify an out of sync load balancer configuration): https://www.ssllabs.com/ssltes... [ssllabs.com]
There's a list of
What is going on? (Score:2)
Re: (Score:2)
I just got one such emails, and I don't understand why. I've been using Let's Encrypt since their inception (a decade ago?) and never received any mail from them. Renewal is automatic. So why an email now ? Does that mean the auto-renewal will stop ? Reading the email is not clear.
That means your certbot has never failed to renew because of DNS problems or other issues. Count yourself lucky. For those of us who have come within three or four weeks of missing the 90-day window, this feature was a lifesaver. And now, when it eventually fails, I'm just not even going to fix it. The TLS site will stop working, and people can use HTTP.
Fed up doesn't begin to cover my reaction.
Re: (Score:1)
And now, when it eventually fails, I'm just not even going to fix it. The TLS site will stop working, and people can use HTTP.
So it sounds like you don't really give a shit about your site, given the fact that most people will give up and stop visiting once they get the scary warnings, so why do you even bother with it? Might as well shut it down now, it's obviously got no significant value to you. You could even be nice and put up a farewell message directing people to alternatives rather than have them hi
Re: What is going on? (Score:2)
Re: (Score:2)
Actually no, most people will just click through the warnings.
And thus, we reach peak enshittification (Score:2)
As though pushing people to more and more abusively short terms weren't enough, now they're not even going to tell us when we're about to have our sites go down because of those short terms.
Can we PLEASE get back to a sane universe where cheap or free multi-site certs have year-long expiration dates so that TLS will stop being the essence of hell for small site admins? Because at this point, I'm going to turn off TLS on my sites the second it stops working, which statistically speaking will be within a ye
Re:And thus, we reach peak enshittification (Score:4, Informative)
If you self-host, it's not difficult to automate renewal: https://www.baeldung.com/linux... [baeldung.com]
If you use hosting services, they usually provide that service. Here's an example: https://www.plesk.com/extensio... [plesk.com]
Re: (Score:2)
If managing TLS certs is "hell" for you then you're doing something very wrong and should let a professional do the job. If you are "managing" certificate expirations with Lets Encrypt, STOP IT and learn to deal with the situation properly.
I'm done with this. My site doesn't benefit from TLS even slightly
This is a 2-for-1 display of incompetence. Firstly you're "done with this" shows you haven't used any of the basic automation processes that have been put in place. That's horrendous security practice. Secondly you think TLS is for the benefit of the site rather than the
Can we _please_ just redo/update DNS already? (Score:2)
This all is soooo clunky. Letsencrypt is a huge improvement, but it still is just a stop-gap for a system that's completely outdated to begin with. These protocols often are quite literally from the steam age of computing, and DNS and this SSL hack bolted on top of it sure is in the top 3 of those. These things are ancient and often streched way beyond their intended original purpose.
Why do I have to log into my host every 6 months to run a script? Or automate a script to run every 6 months? Why can't I jus
Re: (Score:2)
DNS does have DNSSec which addresses most of the security concerns, it's your fault if you don't use it.
Running a public facing server requires ongoing maintenance - security updates for instance, automating a script to renew a cert is the least inconvenient thing in the grand scheme of things. Sure you could buy a long-expiry cert and leave it untouched for a year but then what? you have a significant chance of getting the site infected with something and then used to propagate further nefarious activities