Let's Encrypt ending notifications
I received the following email recently. Basically it means an end to SSL notifications of expiry from Let's Encrypt.
Hi,
As a Let’s Encrypt Subscriber, you benefit from access to free, automated TLS certificates. One way we have supported Subscribers is by sending expiration notification emails when it’s time to renew a certificate.
We’re writing to inform you that we intend to discontinue sending expiration notification emails. You can learn more in this blog post. You will receive this reminder email again in the coming months:
https://letsencrypt.org/2025/01/22/Ending-Expiration-Emails
Here are some actions you can take today:
Automate with an ACME Client that supports Automated Renewal Information (ARI). ARI enables us to automatically renew your certificates ahead of schedule should the need arise:
https://letsencrypt.org/2024/04/25/guide-to-integrating-ari-into-existing-acme-clients
Sign up for a third-party monitoring service that may provide expiration emails. We can recommend Red Sift Certificates Lite, which provides free expiration emails for up to 250 active certificates:
https://redsift.com/pulse-platform/certificates
Opt in to emails. While we are deprecating expiration notification emails, you can opt in to continue to receive other emails. We’ll keep you informed about technical updates, and other news about Let’s Encrypt and our parent nonprofit, ISRG, based on the preferences you choose:
https://letsencrypt.org/opt-in/
In accordance with this change, we are updating our Subscriber Agreement, effective 24 February 2025. This is the agreement that governs the relationship between you and ISRG with regards to your acquisition and use of SSL/TLS digital certificates issued by ISRG (via Let's Encrypt). You don't need to take any action to continue to use the Let's Encrypt service but we encourage you to review the new agreement. You can find the latest agreement (v1.5) here:
https://letsencrypt.org/repository/
All the best,
Let’s Encrypt
I wish to know if there are any self-hosted solutions to monitor SSL expiry and notify by email.
I was also thinking if maybe @Andrei will be able to add some monitor in HetrixTools to monitor SSL expiry too.
Stop the planet! I wish to get off!
Comments
I believe uptime-kuma has SSL monitoring, but not sure abt email part tho
Uptime Kuma definitely does SSL monitoring as part of their "HTTP(S)" monitor, and you can setup notifications to be sent by email (as well as a ton of other options).
Double post, but it looks like HetrixTools does already offer certificate validation on their "Website Monitor", enabled by default. However, I'm guessing you'd only get the notification after it expires.
It can monitor expiration date also
https://docs.hetrixtools.com/ssl-certificate-expiration-date-monitoring/
Here's the official Lets Encrypt post:
https://letsencrypt.org/2025/01/22/ending-expiration-emails/
From the above there a link to Red Sift Certificates Lite (formerly Hardenize). Red Sift’s monitoring service providing expiration emails is free of charge for up to 250 certificates. They also provide other options here: https://letsencrypt.org/docs/monitoring-options/
Oh, okay, I see now. This is available after adding the monitor. Thanks!
For self hosting, it's pretty trivial to check expiry from a simple cron script. I use:
Change port and/or add '-starttls protocol' to test other services like IMAPS
I don't want to post the full 300-line script but Google's Gemini created a python script which checks the date and sends an email when a certificate gets close to expiration. Seems like a lot of options.
300!! I don't feel quite so redundant now
300 lines? I do it with 20 lines of sh, and it even supports multiple dnsrecords.
That's saying a lot since I'm a really shitty programmer.
Well I'd say the AI was, without any other way to put it, very thorough. It made sure to check for many different types of errors, and included a number of comments. It made sure to include 18-lines worth of comments for the is_certificate_expiring function. Because without those comments, there is no way to know what the is_certificate_expiring function does.
Click the spoiler if you want to see a small part of the code.
It'll differentiate all those errors even though none of them matter, but won't close the socket. Maybe I should've used DeepSeek.
Take note of the expiry date set a chron task have it email you with the result.
Free Hosting at YetiNode | MicroNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
Thanks!
For web servers/ reverse proxy i use caddy. Helps manage certificate renewals natively.
A great option to not worry.
But better to have a monitor in place, just in case.
A little disappointing. It was nice having these notifications as a backup, especially for internally facing services or slightly non-standard setups like the cert renewal for my ZNC bouncer. I'm using a self hosted version of healthchecks.io to try and keep on top of failing automation, but it was still nice to have this as a wake-up call when inevitably something slipped through the cracks.
Is certbot auto ssl renewal in crontab not working anymore?
I’m a simple man I see gifs, I press thanks
Auto ssl renewal should be working:
- | Free Uptime Kuma | Best Web Hosting Deal
Hello @root
Besides Uptime Kuma and HetrixTools, other open-source monitoring tools can check SSL certificate expiry. For example, Zabbix can monitor SSL certificates directly, while Prometheus requires an exporter like the ssl_exporter to collect SSL certificate metrics. Both Zabbix and Prometheus can integrate with alerting systems to provide notifications.
(Note: I'm not endorsing these specifically, just mentioning them as examples.)