Let's Encrypt Ending Support for Expiration Notification Emails
-
[email protected]replied to [email protected] last edited by
I actually think it's set by default. If there's a cert it gives you the expiration.
-
[email protected]replied to [email protected] last edited by
Oh no, the free service is going to make you put a reminder on your calendar.
-
[email protected]replied to [email protected] last edited by
Sigh, yeah I know that and that's not the point I was making but sure.
-
[email protected]replied to [email protected] last edited by
What manual hooks? All the systems I've used LE certs in have supported fully automatic DNS challenges.
-
[email protected]replied to [email protected] last edited by
I know, clients not wrapping lines in codeblocks are also "rendering properly". Wrapping it's up to the client's parser, reason why I noted to use the aproppriate syntax regardless.
-
[email protected]replied to [email protected] last edited by
Change is hard, I get it, if this change is upsetting, I'd personally figure out the automation piece. it took me a bit but after getting it going it's rock solid. If using Linux of some flavor, acme.sh works really well.
-
[email protected]replied to [email protected] last edited by
If you use Caddy with ACME DNS, all of this can be automated.
If you also use Cloudflare, you can do that + traffic routing with cloudflared without any need for port forwarding .
-
[email protected]replied to [email protected] last edited by
It’s twoo, it’s twoo
-
[email protected]replied to [email protected] last edited by
It's more than needing a reminder: Let's Encrypt Certs are valid for a maximum of 90 days before they need to be reissued. Doing this 4 times (or more) a year, for years on end will be tedious and error prone.
Most tools that request and install Let's Encrypt Certs automatically do this without the need for human interaction (30 days prior to the expiration) . Actually, they work so well you don't notice the "behind the scenes work" that's happening.
The problem is when this renewal process "stop working". I'd been using Let's Encrypt for years w/o problems, but eventually the client I was using wasn't updating and it was using a deprecated Let's Encrypt API. Ultimately, the cert stopped updating, but I got the email reminder from Let's Encrypt and I was able to fix it w/o a disruption.
Now, this was just a server for personal use. So if the SSL cert expired, it would not be the end of the world. Plus, I would have gotten a bunch of SSL errors the next time my client was trying to sync data, and I probably would have dropped everything to fix it. But the email reminder was a convenient feature, which allowed me to fix it whenever I had time.
That said, if Let's Encrypt wants to save some money for their free service, I'm certainly not going to complain (although I will miss it).
-
[email protected]replied to [email protected] last edited by
I use uptime kuma to check my certificate isn't going to expire.
Also tells me if any of my services are down.
-
[email protected]replied to [email protected] last edited by
Using nginx with certbot and duck DNS and I ended up using the manual option with a authentication, clean up, and post bash scripts and then final script that I called from chron job that called the scripts every three months.
Just from a beginning user of let's encrypt, and while a software developer I'm not versed in backend development, and I found the documentation to be a bit hit or miss, understandable with a plethora of open source projects. Using certbot, because that's the rabbit hole let's encrypt first send you down, the documentation while available isn't easy to navigate in my opinion and it took me a while to track down the variables used to pass down the text and the bulk examples found were all using http-01.
I just think that if your not someone with a background in tech, just wanting to get a server to and running with ssl following a bunch of other tutorials and guides, it could be a bit better to get adoption.
-
[email protected]replied to [email protected] last edited by
do you not automate the renewal of your certificates?
the only time I've ever gotten the expiring cert emails is after i decommission a service that had certificates and no longer renew it.
-
[email protected]replied to [email protected] last edited by
It's not just figuring out the automation. If they don't have a plug-in for your DNS provider, and you need a wild card, that automation gets kind of dicey.
-
[email protected]replied to [email protected] last edited by
They don't support my DNS provider and they don't support my web server.
Automated the web server isn't very hard automated the DNS providers are royal pain in the ass.
-
[email protected]replied to [email protected] last edited by
Uptime kuma's pretty nice for such a light duty package
-
[email protected]replied to [email protected] last edited by
Can't speak for OP but they can't seem automate my network solutions DNS through plugins.
I don't know why in the hell they are such sticklers about wild card domains. Just let me off it on any working domain, hell, force me to author on this is my wildcard.Mydomain.com. the DNS authorization is an unnecessary
-
[email protected]replied to [email protected] last edited by
And DNS is the only one available for wild card and unless you're using a plug-in capable DNS service, They suck at it.
-
[email protected]replied to [email protected] last edited by
Novel concept, how about they let me pay them to remind me.
-
[email protected]replied to [email protected] last edited by
Agreed.
For us the mitigation is to do a little monitoring with alerts set to start casually at 29 days out and enter critical 13 days out (out from expiry).
-
[email protected]replied to [email protected] last edited by
I'll end up with a nagios alarm with an x509 check
