←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 1 comments | 30 Jun 25 04:49 UTC | HN request time: 0.201s | source
Show context
scrapheap ◴[30 Jun 25 10:01 UTC] No.44421396[source]
This makes sense to me. You should never rely on your CA to let you know that a certificate is due to expire soon, you should have your own monitoring in place that actively checks this for you.
replies(2): >>44421753 #>>44421782 #
bo1024 ◴[30 Jun 25 11:03 UTC] No.44421782[source]
As a hobbyist without a lot of time for sysadmin, it would be nice if basic email monitoring was a standard package (apt install letsencrypt-monitors or something).
replies(3): >>44421841 #>>44422380 #>>44423233 #
johnisgood ◴[30 Jun 25 12:21 UTC] No.44422380[source]
Just use certbot. It automatically sets up a scheduled task to renew your SSL/TLS certificates in the background, typically using a systemd timer that runs twice a day. I do not know why people using LetsEncrypt would not set up certbot along with it, that is how I do it. Some nginx config + certbot.
replies(2): >>44422649 #>>44427499 #
Walf ◴[30 Jun 25 12:51 UTC] No.44422649[source]
Maybe the situation's improved, but I found certbot from system package managers would diverge from latest version, sometimes significantly, like support for DNS challenge APIs breaking. I switched to ‘acme.sh’ for most machines and haven't looked back. It no longer has Let's Encrypt as its default issuer, but you can set it back to LE with one config command.
replies(1): >>44422664 #
1. johnisgood ◴[30 Jun 25 12:53 UTC] No.44422664[source]
I was going to mention acme.sh, too. certbot and acme.sh are two popular methods.

That said, I never had issues with certbot on Arch Linux, and I have been using it for a really long time.

Since Arch Linux is bleeding-edge, it does not diverge from latest version. :D