PSA: LetsEncrypt ending expiration notification emails
PSA: LetsEncrypt ending expiration notification emails
letsencrypt.org
Ending Support for Expiration Notification Emails
I think it's a good idea, everyone should be automating this anyway.
37 comments
-
-
I did setup UptimeKuma for notifications on this. let's see if it works out when the expiry arrives in a month
-
I think I'll need to add notifications for my uptime kuma as well now. So far I've used it mostly for historical data but without the mails, I would like to get a notice
-
UptimeKuma looks nice. Simple, but it does what it is supposed to.
-
Just needs an API and an export/import feature.
-
-
-
I manage all my certs using Cert Warden which has a dashboard that displays the expiry date. It does lack alerting, so I use Uptime-kuma to monitor the expiry dates of the certs. So not a big loss for me.
-
I think it's a good idea, everyone should be automating this anyway.
This is still not possible in all scenarios. For example, wildcard certificates for DNS providers with no API support.
-
If you're using Prometheus, Blackbox exporter checks cert expiration as well
-
I have my home assistant check and also my nagios, better safe then sorry
-
Mine just auto renews anyway
-
I think thats the case for most of us. But for some like myself, it does mean I have to do the monitoring myself now. I can't complain it was a free service. But it did warn me about a renewal problem before the cert expired, so it was a useful service for me.
-
-
PSA: If you use Cloudflare to proxy, you can get a free decade long certificate and not worry about it for awhile.
-
Oh, look: the NSA dangling a carrot on a line.
-
Hey, if you wanna put your home server out there so the first person who gets pissy at you can DDoS you off the net until your ISP decides to cancel your service, that's a perfectly acceptable decision to make for yourself.
-
-
-
Dietpi has an automatic letsencrypt recert service which could probably be ported since its just a whiptail script
-
Just use certbot and cron.
-
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year
Not doubting them, but I don't understand how that's possible.
Storing the email addresses and expiration dates takes an irrelevant amount of storage space, even if they had billions of cutomers.
Sending the emails should also not cost thousands, even if a significant amount of customers regularly let their certificates expire (which hopefull isn't the case).
So where are the tens of thousands of yearly costs coming from?
-
As with all things email, they probably really wanted to make sure that the mails were delivered and thus were using a commercial MTA to ensure that.
I'd wager, even at 20 or 30 or 40k a year, that's way less than it'd cost to host infra and have at least two if not three engineers available 24/7 to maintain critical infra.
Looking at my mail, over the years I've gotten a couple hundred email from them around certificates and expirations (and other things), and if you assume there's a couple million sites using these certs, I could easily see how you'd end up in a situation where this could scale in cost very very slowly, until it's suddenly a major drain.
-
37 comments
Those emails have warned me something was pooched in advance many times. I do find them useful.
Sad to see them go, but nice they mention an alternative.
Pretty much all monitoring solutions on the market track cert expiration nowadays. I get an alert when any of my certs have <5 days left
What monitoring solution do you use? I need to set something up for my own projects but haven't gotten around to it. Any experience with Nagios?
I’ve mainly gotten false positives, myself. When I’ve added another subdomain or something and the certificate gets set up differently, so then you get 2-3 emails saying domain X will expire, but if you connect to the url you see it has 80+ days left. Setting up your own monitoring solution is probably long overdue for myself, and it’s nice I’m getting forced to do it, in a way