As of June 4, 2025, Let's Encrypt has stopped sending out email reminders for upcoming TLS certificate expirations. They publicly announced the change in late June to make sure users aren't caught off guard.
Why the change? It comes down to three main reasons:
Automation is already handling most renewals.
The email system is expensive and complex.
Dropping it improves user privacy.
Let's Encrypt explained that automated tools like certbot (and other ACME-compatible clients) have made reminder emails mostly unnecessary. If you're running one of these tools on a schedule, via cron or a systemd timer, you're already covered. The tools take care of it for you. For example, Certbot checks daily to see if renewal is needed and takes care of it when the certificate is within 30 days of expiration.
Another factor: TLS certificate lifetimes are shrinking. As explained by DigiCert and others, maximum certificate lifespans are being reduced, eventually to just 47 days by 2029. If you're relying on manual renewals, that means you'd be reissuing certificates every few weeks. At that pace, email reminders just don't scale, so everybody involved seems to think that automation is the only realistic way forward.
As reported by Bleeping Computer, Let's Encrypt also pointed out that running an email notification system isn't cheap. They estimate it costs tens of thousands of dollars per year, not to mention the ongoing complexity and risk of mistakes. Dropping the service frees up time and money for other parts of their infrastructure.
And finally, there's privacy. Sending email reminders means collecting and storing email addresses tied to certificate issuance records. Let's Encrypt would rather not hold that data at all, and I don't blame them for that. Less data stored means fewer things to secure, audit, or leak.
Were you relying on email alerts to tell you when it's time to renew your website certificates? Surely not, I hope. But if you're one of those people where certificate renewal can get away from you, now is the time to address, and automate, that. And if you already did, then you're fine -- nothing really changes for you.
As of June 4, 2025, Let's Encrypt has stopped sending out email reminders for upcoming TLS certificate expirations. They publicly announced the change in late June to make sure users aren't caught off guard.
Why the change? It comes down to three main reasons:
Let's Encrypt explained that automated tools like certbot (and other ACME-compatible clients) have made reminder emails mostly unnecessary. If you're running one of these tools on a schedule, via cron or a systemd timer, you're already covered. The tools take care of it for you. For example, Certbot checks daily to see if renewal is needed and takes care of it when the certificate is within 30 days of expiration.
Another factor: TLS certificate lifetimes are shrinking. As explained by DigiCert and others, maximum certificate lifespans are being reduced, eventually to just 47 days by 2029. If you're relying on manual renewals, that means you'd be reissuing certificates every few weeks. At that pace, email reminders just don't scale, so everybody involved seems to think that automation is the only realistic way forward.
As reported by Bleeping Computer, Let's Encrypt also pointed out that running an email notification system isn't cheap. They estimate it costs tens of thousands of dollars per year, not to mention the ongoing complexity and risk of mistakes. Dropping the service frees up time and money for other parts of their infrastructure.
And finally, there's privacy. Sending email reminders means collecting and storing email addresses tied to certificate issuance records. Let's Encrypt would rather not hold that data at all, and I don't blame them for that. Less data stored means fewer things to secure, audit, or leak.
Were you relying on email alerts to tell you when it's time to renew your website certificates? Surely not, I hope. But if you're one of those people where certificate renewal can get away from you, now is the time to address, and automate, that. And if you already did, then you're fine -- nothing really changes for you.
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.