I'm really sorry to see the end of the email reminders.
We have several mechanisms to automate certificate renewals, which work 99.9% of the time, even when there was an external problem with the process. The email reminders helped us with the rest, when redundant automatic processes failed.
Could you at least keep one of these reminders (e.g. 6 days before the certificate expires) and remove the others?
Well, I think in general the automated emails caused more confusion than they solved. Their blog post and linked documentation suggest moving to actual monitoring services, which is probably closer to what most people actually should be using anyway.
I think most people wouldn't register account with email if there is no expiry mail: I personally thing this was because it doesn't really compatible with 7 day certificate: you will hit 20/10 day warning at the moment that certificate was created, but i think this will reduce reachout when a mail needs to be sent for event like buggy client.
Can you use any of the freely-available, and paid-and-well-supported monitoring services as an alternative? If not, why not?
Just this week on the Caddy forums we had a couple of discussions about people confused by expiration emails because Caddy switched to an alternate CA for renewal automatically.
Not to mention the infrastructure costs of sending those emails, I think this is a good change. Dedicated monitoring services do a much better job and... emails aren't really conducive to automation.
See also my comment on another thread about a dashboard monitoring product we offer in Certify The Web, we can see about free tiers etc if there is enough interest [note that it offers ACME renewal attempt monitoring, not CT log monitoring]: End of expiration notifications - #10 by webprofusion
People with minimal experience/services not using automated renewals are probably perfectly able to set a reminder in their agenda 2 months in the future.
If you're willing to renew any certificate manually, which takes relative substantial effort, you're probably also willing to set that reminder in/on your agenda/calendar. Not that much extra effort compared with manual renewal.
Getting renewal reminders at present is "set it and forget it" (sign up once and expect them to arrive), which is much less involved than adding/updating a reminder every renewal, which I myself do, or setting a sixty-day periodic reminder. On the bright side, I've added additional extraction of cert info to CertSage in preparation for fully automating renewals, so soon this concern will be mostly irrelevant for CertSage users in the near future.
Of course, I understand that obviously. But Let's Encrypt discourages that to begin with, so from their point of view I recon, some extra work for people not following or not able to follow the automation recommendation is not really an argument to keep these expiry emails.
I just trust that people will do what they do and understand that removing the "don't run into the wall" sign will result in more than a few people slamming into the wall until enough bruises are felt, the sign is re-added, or the wall is removed (one way or the other).
We host several hundred domains that use our automated certificate renewal process. Each certificate is renewed every 60 days.
If the renewal fails on the day of renewal, we attempt renewal daily.
For some reason that we have never been able to identify, some domains fail to renew for several days in a row and then we receive the first warning from Let's Encrypt when the certificate is 19 days away from expiring. This is a rare occurrence and the e-mail warning helps us a lot in these cases.
Or, debug why you have renewal failures. My first guess is your renewals are being done at a particularly busy time and you are getting Retry Later responses. We can help you debug renewal failures. But, please start a new thread if you want help.
Review these suggestions for integrators / hosting services:
Found out about this through Reddit. Gotta say my initial reaction here to the discontinuation is negative.
I think the privacy angle is weak. If I'm not mistaken, ACME orders and accounts don't need an email address. It's opt-in.
Cost argument? Fair. Cert lifetimes getting lower and lower? Fair.
What would I recommend? Change what is notified. Send notifications instead when authorization objects aren't re-authorized. I forget how long LE allows authorization objects to be valid for - I think it's what, 30 days?
IMO if an automation using an LE ACME account isn't working and a cert failed to renew, it's very likely the AO is dead too. So put the logic on its head.
Unless of course there's a desire to reduce AO lifetimes as well and this hasn't been widely talked about yet....
Pretty sure there was talk of reducing that to 7 days or lower, can't find the thread though. Cached auth doesn't even happen on some CAs, so you can't rely on it.
Orders themselves have a shorter lifetime than they used to, no idea what it is currently but for instance if you take too long to do a manual DNS update etc your order will become an unknown Order ID more frequently now (more common where there are manual auth steps).