Let's Encrypt will stop sending certificate expiration reminder emails on June 4, 2025. For many sys admins who've relied on these handy notifications, this news means it's time to at least find a replacement certificate monitoring tool, if not also automate previously manual certificate renewals.
Why Is Let's Encrypt Ending Reminder Emails?
Let's Encrypt has issued millions of free SSL certificates. At their scale, the costs of sending those reminder emails quickly adds up. As a non-profit, they've determined that these expiration emails are no longer the best use of their limited resources. By phasing out these emails they hope to encourage broader adoption of automated renewal via Certbot and other ACME clients.
What Should You Do Now?
Accidentally allowing a certificate to lapse will render your site inaccessible to most users, leading to a loss of user trust and severe SEO consequences, so it's important to at least replace Let's Encrypt email reminders with another certificate monitoring solution, but the ultimate goal should be to automate your certificate renewals.
1. Implement Or Strengthen Your Automated Renewals:
Let's Encrypt recommends, and has always supported, fully automated certificate renewals. Certbot and other ACME clients, when configured correctly, can automatically renew your certificates well before they expire. The only catch is, all automation is subject to unexpected failure.
- Pros: Convenient, recommended by Let's Encrypt.
- Cons: Unreliable. Requires periodic monitoring to ensure continued functionality.
2. Third-Party SSL Monitoring Services:
The unreliability of automation necessitates a backup solution, like email notifications about invalid or soon to expire certificates for domains of interest.
Certificate monitoring tools like CertNotifier can fill the gap left by Let's Encrypt's discontinued emails. CertNotifier proactively tracks certificate expiration dates and sends timely email reminders before certificates expire, or if they become invalid for some other reason.
- Pros: Reliable reminders, track unlimited domains with or without direct server or DNS access.
- Cons: Not free, but at just $9.99/year for 3 domains, cost is minimal compared to downtime.
3. Custom Monitoring Solutions:
Tech-savvy users might write custom BASH or Python scripts to monitor SSL certificate validity, but the only way to do this semi-reliably is to run a completely separate server, or else misconfigurations in the server being monitored can easily impede certificate validation or prevent alerts from reaching their destination.
- Pros: Highly efficient and customizable.
- Cons: Risky. Requires ongoing monitoring.
Putting it All Together
The end of Let's Encrypt certificate expiration emails doesn't have to disrupt your operations. Evaluate the needs of your situation to choose the best automated renewal and certificate monitoring strategy. For most sys admins, combining automated renewals with a reliable third-party monitoring service like CertNotifier is the ideal solution.