HN Reader

One could say it expired.

> Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.

Appreciate the honesty (they had other reasons, too! but emails are a pain and expensive at their scale)

A company like Postmark should have just given them a free account on the condition they mentioned them at the bottom of emails or something

It's a valuable service for the average person to get these emails without having to set up separate monitoring

This makes sense to me. You should never rely on your CA to let you know that a certificate is due to expire soon, you should have your own monitoring in place that actively checks this for you.

Certificates are still a pain in the butt. One of the most cumbersome aspects of the web.

Especially domain wide certs which need DNS auth.

DNS auth would be okish if it was simply tied to a txt entry in the DNS and valid as long as the txt entry is there. Why does LetsEncrypt expire the cert while the acme DNS entry is still there? Which attack vector does this prevent?

Also, why not support file based auth in .well-known/acme-challenge/... for domain wide certs? Which attack vector does that prevent?

It's unfortunate to see this go away, but understandable given the costs involved. Another option is to run Caddy as a web server, which provides automatic cert renewal (https://caddyserver.com/docs/automatic-https). If notifications are still important, they also provide an event subscription system (https://github.com/caddyserver/certmagic#events) so you can subscribe to cert-related events, run custom code, trigger event handlers, etc.

When I received the first warning email about this, I wrote a simple library and cli to validate all my certs for me.

https://github.com/jgaa/openvalify

This is a smart move. The amount of infrastructure complexity for what's essentially a band-aid for poor automation practices wasn't worth it. We migrated ~800 domains to LE back in 2019 and initially relied heavily on those expiration emails as a safety net. But honestly, they became more of a crutch than a help. Once we implemented proper monitoring with Prometheus + cert-manager, we haven't had a single cert expire unexpectedly. The privacy angle is interesting too. I hadn't considered how much PII they were sitting on just for this feature. With GDPR and similar regulations, that's a significant liability for what amounts to "your cron job didn't run" notifications. For anyone panicking about this: if you're still depending on email notifications for cert renewal in 2025, this is your wake-up call to implement actual monitoring. Even a simple bash script that checks cert expiry dates and posts to a Slack webhook would be more reliable than email notifications. Curious what their infrastructure costs actually were for this. "Tens of thousands per year" seems low for managing millions of emails, but I guess if it's just queuing jobs to an email service provider, that tracks.

I hope they don't send another 20 emails at random intervals across two months to notify me of this now...

is there a Slack bot for expiry checks?

This pushed me to automate certificate renewal for all my domains. This is much better than waiting for any kind of notifications, and it was very easy. I think this is a very good decision on their part.

DIY monitoring:

   $ curl https://example.com -vI --stderr - | grep "expire date"

   *  expire date: Jan 15 23:59:59 2026 GMT

I can't believe they didn't end it soon. Majority of the users have automatic renewals in place which makes this completely unnecessary

will email still be recuired for getting certs?

Is it the right time to rant about the cert expiration as a concept? I understand why certs might be revoked. But expire?

I was using this with Certbot for 17 different domains it's a bit sad to see it go. I’m not even sure if I ever relied on the notifications, but just knowing it existed gave some peace of mind.