Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us. We will be ending this service on June 4, 2025. The decision to end this service is the result of the following factors:
Over the past 10 years more and more of our subscribers have been able to put reliable automation into place for certificate renewal.
Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records.
I think it’s a good idea, everyone should be automating this anyway.
I’ve mainly gotten false positives, myself. When I’ve added another subdomain or something and the certificate gets set up differently, so then you get 2-3 emails saying domain X will expire, but if you connect to the url you see it has 80+ days left.
Setting up your own monitoring solution is probably long overdue for myself, and it’s nice I’m getting forced to do it, in a way
If you have the time to spare (a few weeks perhaps, if coming from zero) to experiment and read, Prometheus and Grafana offers a lot and can be really flexible. I use a pretty simple bash script that scrapes my desired https endpoints and writes out the results to a file Prometheus (node-exporter) understands, and from there I can write alert rules in Grafana to fire off notices by email or slack.
I set up uptime kuma to also monitor certs this week when I got the reminder email about them stopping the email warnings, been using it for some time for uptime monitoring (mostly to see if some auto docker image update screws up my services) and the notification parts has worked nicely for that, so I’m also assuming it will work nicely for the certificates
I use NewRelic myself. They are software agnostic and only connect to your URL to get the expiration date.
If you set up LE correctly, it should never get an alert. I haven’t been alerted since I set it up, to the point that I wonder if I set up the monitor correctly.
The only thing I wish it could do is use custom ports. I have some services running on non standard ports.
Those emails have warned me something was pooched in advance many times. I do find them useful.
Sad to see them go, but nice they mention an alternative.
Setup uptimekuma
I’ve mainly gotten false positives, myself. When I’ve added another subdomain or something and the certificate gets set up differently, so then you get 2-3 emails saying domain X will expire, but if you connect to the url you see it has 80+ days left. Setting up your own monitoring solution is probably long overdue for myself, and it’s nice I’m getting forced to do it, in a way
Pretty much all monitoring solutions on the market track cert expiration nowadays. I get an alert when any of my certs have <5 days left
What monitoring solution do you use? I need to set something up for my own projects but haven’t gotten around to it. Any experience with Nagios?
If you have the time to spare (a few weeks perhaps, if coming from zero) to experiment and read, Prometheus and Grafana offers a lot and can be really flexible. I use a pretty simple bash script that scrapes my desired https endpoints and writes out the results to a file Prometheus (node-exporter) understands, and from there I can write alert rules in Grafana to fire off notices by email or slack.
I set up uptime kuma to also monitor certs this week when I got the reminder email about them stopping the email warnings, been using it for some time for uptime monitoring (mostly to see if some auto docker image update screws up my services) and the notification parts has worked nicely for that, so I’m also assuming it will work nicely for the certificates
I use NewRelic myself. They are software agnostic and only connect to your URL to get the expiration date.
If you set up LE correctly, it should never get an alert. I haven’t been alerted since I set it up, to the point that I wonder if I set up the monitor correctly.
The only thing I wish it could do is use custom ports. I have some services running on non standard ports.