In a move that has surprised many, Let’s Encrypt, the world’s leading provider of free, automated, and open SSL/TLS certificates for websites, has announced plans to end its longstanding practice of sending email reminders about certificate expirations.
If you are a user of the service, you should have received an email informing you:
As a Let’s Encrypt Subscriber, you benefit from access to free, automated TLS certificates. One way we have supported Subscribers is by sending expiration notification emails when it’s time to renew a certificate. We’re writing to inform you that we intend to discontinue sending expiration notification emails.
As you can see from the email, this change will take effect in the coming months. Simultaneously, Let’s Encrypt will roll out an updated Subscriber Agreement (v1.5) that goes into effect on February 24, 2025.
Let’s Encrypt previously used email notifications to let certificate holders know when their certificates were approaching expiration. These reminders were especially handy for busy website administrators who might inadvertently miss or delay certificate renewals.
Put plainly, these emails functioned as a friendly nudge so you would not end up with an expired certificate, which can cause websites to display those alarming “Not Secure” warnings to visitors.
However, maintaining and managing these reminders on a large scale has proven challenging for Let’s Encrypt over time as the volume of certificates has grown immensely, especially the cost of sending all those emails to the users – currently, Let’s Encrypt issues certificates for more than 560 million websites.
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.
Although official expiration notifications will be discontinued, Let’s Encrypt advises its subscribers to transition smoothly by considering third-party monitoring services. For instance, Red Sift Certificates Lite (recommended by Let’s Encrypt) can issue expiration emails for up to 250 active certificates at no cost. You can explore this solution at redsift.com.
Of course, you can always go the good old-fashioned route and check the expiration date by using the OpenSSL tool running this command in the terminal:
openssl x509 -dates -noout < /etc/letsencrypt/live/your-domain.com/cert.pemCode language: JavaScript (javascript)For more information, refer to the official announcement.
