All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Let's Encrypt will no longer send out expiry notices later this year
The SSL provider Let's Encrypt will no longer send you a reminder as of June 4, 2025 when you have a certificate due to expire.
This is somewhat understandable since sending e-mail at large scale is challenging due to all the hoops Google/etc demands of large volume mail senders.
Personally, I found the e-mail reminders a useful service when the automation fails for whatever reason. Some uptime monitoring services don't inform you regarding certificate validity at all, or give advanced noticed of certificate expiring. For my own needs, I will look into setting up one of the open source monitoring solutions as I've already hit my limit on two of the popular monitoring provider's free plans (it looks like there are some solid options on github). I recommend you check whatever monitoring you use will send advance certificate notifications, as not all do this (and sometimes it is something you have to opt-in to).
More broadly speaking, I think it is possible we may see a slight increase in 'expired certificate' warnings around the web after June...
Comments
they just need a few of @jar 's black friday plans and they'll be all set
Do you really need a service? It's a 3-line shell script.
Oh really? I 'd like to enable auto renewal
Add few more lines and make it send you a mail when they're expired.
I use HetrixTools "SSL Certificate Expiration" option, lets you select how many remaining days to trigger warning.
This is the right decision because no one reads such messages.
We are on LET. Our machines don't have enough compute to process this before it expires.
Wut? Sure, ignore OP and speak for yourself and ignore reality.
They listed four reasons. None of them were from lack of use.
I am planning to use a library since by the time I add all the options I'd like (check certificate expiry within 20 days, check ping time / downtime, check for text string presence, notification to SMTP and possibly other methods, support for various protocols, configurable re-notification periods or ignore time periods per monitor, history log with graphs, etc), it would be easier to just docker install something.
Though thank you for the script, it is always nice to have multiple options
Honestly, I never read emails regarding LE certs expiry notice. I let certbot/acme doing all the LE certs stuffs.
I don't remember the last time I saw such an email from LE, but this prompted me to write an icinga check to do the same thing. Took me like 3 minutes.
Those messages are quite useless anyway
Its sad, you must manager renew time by yourself
No problem.
I've always been using Cloudflare's SSL.
I use HetrixTools "SSL Certificate Expiration" option, lets you select how many remaining days to trigger warning.
You shouldn't be getting any of those emails if you've got certbot set up correctly.
From my experience they only send them out ~21 days before your cert expires (then ~14 days, ~7 days). I think the recommendation is to renew around 1 month before expiry, which I imagine most automation do. I don't think I've ever seen LE notifications from anything other than certs I've intentionally let expire.
We also use HetrixTools to monitor our servers, SSL and Domains
As other have said, you can use curl or even openssl to grab the cert details and alert based off that. I'm sure there's also some other monitor software that can do it for you (like the previous comment mentions).
Since I use acme-tiny to renew my certs, I actually made a script that backs up the current cert (the renew attempt will overwrite it) and will check the exit code from acme-tiny. If the exit code is anything besides zero, it will restore that backup it took and email me the details on why it failed. I renew monthly so if it fails, I will have plenty of time to actually log in and fix any issue but it's been forever since a renew failed. Even when it failed a long time ago, it was always me just reruning the renew script to resolve the issue. I basically started ignoring the first failure and let the following month's attempt fix it automatically.
Do think I really should try certbot one of these days. I forget why I originally went with acme-tiny but I've stuck with it since I already had scripts for it and know how it behaves.
NodePing also has a check for monitoring SSL certs. Very handy, since it will also text you so you don't miss yet another email.
Same. It's setup and forget. Though one can automate notifications via sendmail just fine. I do know that it's harder to do it for wildcard ssls, still possible using DNS hooks most likely.
Wut? Having your site's certs expire is quite embarrassing and makes companies look like Mickey mouse operations.
I don't think you know what "useless" actually means.
Where does that script email you? That is the topic.
Sort of. Using free SSL certificates also qualifies as 'mickey mouse operations' though - expired or not.
I used to use @NodePing and they were awesome. I assume they still are.
It was left as an exercise for the Gentle Reader.
How so? There's zero difference from a paid one. Are you some asshole checking out valid certificates to see if free or purchased?
For self hosting purposes it doesn't make a difference. Depends on your use case.
StackOverflow, Mozilla, SourceForge, Reuters, the NBA, Stanford, the NSA...all mickey mouse operations.
Slightly different to self signed on an unknown host / organisation.
Warranties and DV / EV serve a purpose for many.