PSA: LetsEncrypt ending expiration notification emails

ajen@sh.itjust.works

If they send 2 emails per subdomain per year, that could easily be 10s of millions which would make the cost per email measured in thousandths of a cent. And I could see the number of subdomains being larger by a factor of 10, maybe more.

Another angle: someone with IT experience needs to manage the system that seems emails, and other engineers need to integrate other systems with the email reminder system. The time spent on engineering could easily add up to thousands per year, if not tens of thousands.

I'm guessing their figure is based on both running costs and engineering costs.

schizo@forum.uncomfortable.business

As with all things email, they probably really wanted to make sure that the mails were delivered and thus were using a commercial MTA to ensure that.

I'd wager, even at 20 or 30 or 40k a year, that's way less than it'd cost to host infra and have at least two if not three engineers available 24/7 to maintain critical infra.

Looking at my mail, over the years I've gotten a couple hundred email from them around certificates and expirations (and other things), and if you assume there's a couple million sites using these certs, I could easily see how you'd end up in a situation where this could scale in cost very very slowly, until it's suddenly a major drain.

wildbus8979@sh.itjust.works

I'm with you, but that's why I'm automating certificate expiry checking somewhere else (in my home assistant install to be exact).

wildbus8979@sh.itjust.works

But then you have to distribute CAs to all the devices that will reach this service, and not all devices allow that.

evkob@lemmy.ca

According to (their stats page)[https://letsencrypt.org/stats/], Let's Encrypt's certificates are used by around 500M domains.

evkob@lemmy.ca

Let's Encrypt is run by a non-profit (Internet Security Research Group), they list their major sponsors and funders on their website.

chewy7324@discuss.tchncs.de

Notable mention of Mozilla being a Platinum sponsor.

gofsckyourself@lemmy.world

Just needs an API and an export/import feature.

sirmaple__@lemmy.world

I manage all my certs using Cert Warden which has a dashboard that displays the expiry date. It does lack alerting, so I use Uptime-kuma to monitor the expiry dates of the certs. So not a big loss for me.

isokiero@sopuli.xyz

True. And there's also a ton of devices around which don't trust LetsEncrypt either. There's always edge cases. For example, take a bit older photocopier and it's more than likely that it doesn't trust on anything on this planet anymore and there's no easy way to update CA lists even if the hardware itself is still perfectly functional.

That doesn't mean that your self-signed CA, in itself, would be technically any less secure than the most expensive Verisign certificate you can find. And yes, there's a ton of details and nuances here and there, but I'm not going to go trough every technical detail about how certificates work. I'm not an expert on that field by any stretch even if I do know a thing or two and there's plenty of material online to dig deep into the topic if you want to.

corsicanguppy@lemmy.ca

emails

\sigh

wildbus8979@sh.itjust.works

I'm good. LE is far more practical for 99% of use cases, even internally.

superglue@lemmy.dbzer0.com

I think thats the case for most of us. But for some like myself, it does mean I have to do the monitoring myself now. I can't complain it was a free service. But it did warn me about a renewal problem before the cert expired, so it was a useful service for me.

justcallmelarry@lemmy.dbzer0.com

Not yelling, but pointing out, to people who also dont math, that if we assume $10 per 10k emails (or $1 per 1k, for simpler math), that’d be $84 for 84000 emails in a month, so you need to add another 0 to the figure (ie 840k emails in a month)

illecors@lemmy.cafe

Whole path has to be accessible, not just the file itself. All dirs above the file need to have the executable bit set that affects the user accessing the file.

scrubbles@poptalk.scrubbles.tech

So sendgrid checking does 2.5M emails a month for $90/month, and if call them the Cadillac provider. More than that you have to contact sales, so I'm still wondering how it's that expensive to them

forbiddenlake@lemmy.world

You could use a reverse proxy to terminate tls, and take the tls off of ad guard itself.

lightnegative@lemmy.world

TIL Cert Warden is a thing. Looks awesome!

shortn0te@lemmy.ml

How are those devices affected by having no notification anymore? The manual labor exists anyway.

Most network switches and devices have a web gui to switch them out. Those can be automated.

kokesh@lemmy.world

I know, but for some reason Adguard can read the fullchain, not privkey. Now it works.