Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us. We will be ending this service on June 4, 2025. The decision to end this service is the result of the following factors:
Over the past 10 years more and more of our subscribers have been able to put reliable automation into place for certificate renewal.
Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us.
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.
Providing expiration notifications adds complexity to our infrastructure, which takes time and attention to manage and increases the likelihood of mistakes being made. Over the long term, particularly as we add support for new service components, we need to manage overall complexity by phasing out system components that can no longer be justified.
I got this notification as well. It's funny. I've been using Let's Encrypt professionally for a number of years and personally for a few less but still significant periods of time. I've never...
I got this notification as well. It's funny. I've been using Let's Encrypt professionally for a number of years and personally for a few less but still significant periods of time. I've never gotten a renewal notification professionally (because we didn't do an email), but on both of my home servers where I use Let's Encrypt, I've had notifications pushed to my email. The first few times, I kinda freaked out - "are these NOT going to auto renew?? That's the whole reason I set this system up!".
I'm cool with seeing the notifications go away - as they said, more and more people use their service to automate a process.
Certbot is the most straightforward one that comes to mind. I've been doing my LE certs and renewals through traefik and a DNS challenge for a few years now. But that's overkill unless you need a...
Certbot is the most straightforward one that comes to mind.
I've been doing my LE certs and renewals through traefik and a DNS challenge for a few years now. But that's overkill unless you need a reverse proxy.
I'm sure there's lots of other automated cert rotators though.
I switched from Nginx to Caddy in December, and the renewal is automated out of the box and totally invisible. There's literally nothing to do: if you have a domain name in your CaddyFile, Caddy...
I switched from Nginx to Caddy in December, and the renewal is automated out of the box and totally invisible. There's literally nothing to do: if you have a domain name in your CaddyFile, Caddy will manage everything.
With the caveat that your server has to be publicly reachable to perform a HTTP-01 challenge on port 80. Caddy can do DNS challenges but that requires configuration and is a little unclear on...
With the caveat that your server has to be publicly reachable to perform a HTTP-01 challenge on port 80. Caddy can do DNS challenges but that requires configuration and is a little unclear on support for my DNS provider so I use Lego
Like others already mentioned, there are a number of tools that make this possible. In my case, I need to use DNS. The provider I use is not part of the list of plugins certbot supports by...
Like others already mentioned, there are a number of tools that make this possible. In my case, I need to use DNS. The provider I use is not part of the list of plugins certbot supports by default, so it took some fiddling to get the rest call to my provider to work. So my setup now is systemd timer + certbot DNS + bash script to do rest call to provider. I can provide more details if you think this is useful for you. Also, if other people have better options, I’d love to hear them.
After a couple of days of thinking about it, I too finally got off my ass and set up auto-renewal on a couple of my important domains. Luckily Certbot has a plugin for DNS challenge (required for...
After a couple of days of thinking about it, I too finally got off my ass and set up auto-renewal on a couple of my important domains. Luckily Certbot has a plugin for DNS challenge (required for wildcard certificates) on PorkBun (the registrar I use), so it just required a Bash script and a Systemd timer for it to run every couple of months. Maybe this is the better solution than waiting for an email and waiting until it's urgent to SSH in and manually renew the certs!
I've had autorenew set up, but sometimes it has broken for different internal reasons, and then those mails has been really good for notifying me of that. My stack is really way too complicated,...
I've had autorenew set up, but sometimes it has broken for different internal reasons, and then those mails has been really good for notifying me of that. My stack is really way too complicated, but this is a hobby thing so I only do things when inspired or if I really have too =)
Does anyone know how to set up auto-renewal with Nginx Proxy Manager using non-standard ports? I use services on high ports and only open 443 and 80 open just for renewal, and I'd rather not leave...
Does anyone know how to set up auto-renewal with Nginx Proxy Manager using non-standard ports? I use services on high ports and only open 443 and 80 open just for renewal, and I'd rather not leave those open the whole time. I haven't been able to find a way to get NPM to interact with Let's Encrypt using other ports.
The standard requires ports 80 and 443, so it's not really possible. You can do a DNS challenge instead, which seems to be possible with nginx proxy manager provided certbot supports your DNS...
The standard requires ports 80 and 443, so it's not really possible. You can do a DNS challenge instead, which seems to be possible with nginx proxy manager provided certbot supports your DNS provider and then you don't need to open any ports.
Those are some pretty good reasons.
I got this notification as well. It's funny. I've been using Let's Encrypt professionally for a number of years and personally for a few less but still significant periods of time. I've never gotten a renewal notification professionally (because we didn't do an email), but on both of my home servers where I use Let's Encrypt, I've had notifications pushed to my email. The first few times, I kinda freaked out - "are these NOT going to auto renew?? That's the whole reason I set this system up!".
I'm cool with seeing the notifications go away - as they said, more and more people use their service to automate a process.
Glad they're reducing their privacy surface area!
It was the push I needed to finally, after 5 years of doing the renewing by hand, sit down and automate it. I really should’ve done this sooner…
Any tips or tools for this?
Certbot is the most straightforward one that comes to mind.
I've been doing my LE certs and renewals through traefik and a DNS challenge for a few years now. But that's overkill unless you need a reverse proxy.
I'm sure there's lots of other automated cert rotators though.
I switched from Nginx to Caddy in December, and the renewal is automated out of the box and totally invisible. There's literally nothing to do: if you have a domain name in your CaddyFile, Caddy will manage everything.
With the caveat that your server has to be publicly reachable to perform a HTTP-01 challenge on port 80. Caddy can do DNS challenges but that requires configuration and is a little unclear on support for my DNS provider so I use Lego
Like others already mentioned, there are a number of tools that make this possible. In my case, I need to use DNS. The provider I use is not part of the list of plugins certbot supports by default, so it took some fiddling to get the rest call to my provider to work. So my setup now is systemd timer + certbot DNS + bash script to do rest call to provider. I can provide more details if you think this is useful for you. Also, if other people have better options, I’d love to hear them.
After a couple of days of thinking about it, I too finally got off my ass and set up auto-renewal on a couple of my important domains. Luckily Certbot has a plugin for DNS challenge (required for wildcard certificates) on PorkBun (the registrar I use), so it just required a Bash script and a Systemd timer for it to run every couple of months. Maybe this is the better solution than waiting for an email and waiting until it's urgent to SSH in and manually renew the certs!
I've had autorenew set up, but sometimes it has broken for different internal reasons, and then those mails has been really good for notifying me of that. My stack is really way too complicated, but this is a hobby thing so I only do things when inspired or if I really have too =)
Does anyone know how to set up auto-renewal with Nginx Proxy Manager using non-standard ports? I use services on high ports and only open 443 and 80 open just for renewal, and I'd rather not leave those open the whole time. I haven't been able to find a way to get NPM to interact with Let's Encrypt using other ports.
The standard requires ports 80 and 443, so it's not really possible. You can do a DNS challenge instead, which seems to be possible with nginx proxy manager provided certbot supports your DNS provider and then you don't need to open any ports.