←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 10 comments | 30 Jun 25 04:49 UTC | HN request time: 0.639s | source | bottom
Show context
leakycap ◴[30 Jun 25 04:52 UTC] No.44419518[source]
One could say it expired.

> Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.

Appreciate the honesty (they had other reasons, too! but emails are a pain and expensive at their scale)

replies(2): >>44420397 #>>44420498 #
1. amenghra ◴[30 Jun 25 07:16 UTC] No.44420397[source]
They should just build a mobile app for the purpose of receiving these notifications. Make the app $2.99. Turn the expense into a profit. /s
replies(4): >>44420462 #>>44420493 #>>44420842 #>>44421074 #
2. tuananh ◴[30 Jun 25 07:29 UTC] No.44420462[source]
what's the cost of sending notifications via mobile app? cheaper than email?
replies(2): >>44420571 #>>44421073 #
3. Hamuko ◴[30 Jun 25 07:34 UTC] No.44420493[source]
I imagine this is best left to third parties like the recommended service linked in the post. I assume that there's also a whole deluge of other services that have similar offerings.
4. tom1337 ◴[30 Jun 25 07:48 UTC] No.44420571[source]
at least for iOS there are no costs associated with using Apple Push Notification Service (APNS) but depending on the way you use it you either need to pay for the infrastructure that sends your notifications to Apple or for a service like OneSignal which does that for you. Not sure what the volume of LE is but I am pretty sure it's a smart move to focus on their core "business" (providing certificates) and let other handle expiration notifications.
5. nikolayasdf123 ◴[30 Jun 25 08:31 UTC] No.44420842[source]
that's quite a good idea..
6. bbarnett ◴[30 Jun 25 09:07 UTC] No.44421073[source]
Mobile app? Now they need to develop that, keep up to date with OS version changes, and far far worse, support end users and their bugs?

And worse of all, worry about Apple and Google's arbitrary rejections?

This seems far more costly than email. Just having one dev keeping those apps going, is likely 20x or more than their email costs per year.

7. bayindirh ◴[30 Jun 25 09:08 UTC] No.44421074[source]
As an other option, you install a cron job on your server, and send push notifications via pushover or ntfy.sh whenever it fails to renew.

Pushover is $5 once for personal use, ntfy.sh can be completely self-hostable if you prefer.

I have written a small tool which utilizes pushover for these reasons.

You can receive the notifications on your browser/mobile for free afterwards.

replies(1): >>44421222 #
8. 0x073 ◴[30 Jun 25 09:30 UTC] No.44421222[source]
Or just a cronjob that fetches the tls certs and look at the expiration date and then send a mail or X.

So it's even work if you don't have control about the le client.

replies(2): >>44421360 #>>44421949 #
9. unilynx ◴[30 Jun 25 09:55 UTC] No.44421360{3}[source]
Exactly this. Don't look at the renewal proces, look at its output. It'll work for all certificate sources and catch other potential errors too (eg the webserver reporting success but not presenting the new certificate)
10. bayindirh ◴[30 Jun 25 11:26 UTC] No.44421949{3}[source]
That'll work too. The idea was to put your own infra in place if you really need that, and it's not very hard to do it, even with completely self-hosted stack.