←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 9 comments | 30 Jun 25 04:49 UTC | HN request time: 0s | source | bottom
Show context
scrapheap ◴[30 Jun 25 10:01 UTC] No.44421396[source]
This makes sense to me. You should never rely on your CA to let you know that a certificate is due to expire soon, you should have your own monitoring in place that actively checks this for you.
replies(2): >>44421753 #>>44421782 #
1. bo1024 ◴[30 Jun 25 11:03 UTC] No.44421782[source]
As a hobbyist without a lot of time for sysadmin, it would be nice if basic email monitoring was a standard package (apt install letsencrypt-monitors or something).
replies(3): >>44421841 #>>44422380 #>>44423233 #
2. bravesoul2 ◴[30 Jun 25 11:13 UTC] No.44421841[source]
Use one of the myriad uptime monitoring services.
3. johnisgood ◴[30 Jun 25 12:21 UTC] No.44422380[source]
Just use certbot. It automatically sets up a scheduled task to renew your SSL/TLS certificates in the background, typically using a systemd timer that runs twice a day. I do not know why people using LetsEncrypt would not set up certbot along with it, that is how I do it. Some nginx config + certbot.
replies(2): >>44422649 #>>44427499 #
4. Walf ◴[30 Jun 25 12:51 UTC] No.44422649[source]
Maybe the situation's improved, but I found certbot from system package managers would diverge from latest version, sometimes significantly, like support for DNS challenge APIs breaking. I switched to ‘acme.sh’ for most machines and haven't looked back. It no longer has Let's Encrypt as its default issuer, but you can set it back to LE with one config command.
replies(1): >>44422664 #
5. johnisgood ◴[30 Jun 25 12:53 UTC] No.44422664{3}[source]
I was going to mention acme.sh, too. certbot and acme.sh are two popular methods.

That said, I never had issues with certbot on Arch Linux, and I have been using it for a really long time.

Since Arch Linux is bleeding-edge, it does not diverge from latest version. :D

6. jeroenhd ◴[30 Jun 25 13:48 UTC] No.44423233[source]
You can get pretty close to this by (1) setting up certbot and (2) configuring your system to actually send emails if cron jobs fail.

I can see the use in a tool that will scan all certificates configured in local web servers and monitors for close expiration dates, though. Not just Let's Encrypt, but also any other ACME accounts and certificate directories you may need. The biggest challenge would probably be dealing with encrypted certificate files, and after that getting email set up correctly. Nobody seems to have made it because it's so easy to script or add to a pre-existing monitoring system, so this could be a fun open source project. You probably can't use the letsencrypt brand name, though.

replies(1): >>44424941 #
7. JohnTHaller ◴[30 Jun 25 16:09 UTC] No.44424941[source]
Emails sent from most hosting servers won't actually get to your inbox, unfortunately.
8. bo1024 ◴[30 Jun 25 20:29 UTC] No.44427499[source]
I use certbot, but I don't think it will email me if something goes wrong.
replies(1): >>44438418 #
9. johnisgood ◴[01 Jul 25 22:10 UTC] No.44438418{3}[source]
What would go wrong? I have been using LetsEncrypt (with certbot) for a really long time, and it never went wrong. Did it ever happen to you?