Certificate expired notification

Currently one receives certificate expiry notifications that inform about an impending certificate expiration. It would be nice and very helpful to also receive certificate expired notifications for certificates that actually expired and don't work anymore.

Related GitHub discussion (closed in favor of discussion here):

Well, according to their documentation, notices are sent at 20, 10, and 1 day before expiration. (Though in practice, I've only seen the 20 and 10 day notices myself, even for certificates that I didn't renew, but much of my testing is in the staging environment.) If by that point it hasn't been renewed, it's more likely to be the case of the certificate not being needed anymore (due to a site no longer being used, or due to a new certificate that exists but has more or fewer domain names on it) than the case of somebody got the earlier emails but didn't actually check that their automatic renewal was working right.

I guess I wouldn't really object to an additional notice at 0 days left or day-after-expiry, but I don't really think it would help many people. I'd rather effort on improving expiry notification be spent on making the notices better (like not sending at all if new certificates exist for the each name in the expiring cert even if it's not quite the exact same list of names). And even better would be improving the popular ACME clients such that if they were failing renewing day after day to be able to better alert server administrators.

Yes, I agree that it would be fine, as a compromise between Let's Encrypt becoming some kind of HTTPS monitor and not knowing whether renewal failed, to let LE emit one last expiration notification after the certificate definitely expired.

As a last line of defense a HTTPS monitor can be used. Sadly there aren't free HTTPS ones (the free tiers usually either only check over HTTP or don't check the certificate validity). The self-hosted HTTP(S) monitors also aren't really well-maintained.

What difference would that make compared to the current expiration e-mails? As if a sysop reading the "Your certificate is going to expire TOMORROW" would think "Meh... Let's wait.." and a day later reading "Your certificate has expired" thinking "OMG OMG I need to do something now!"?

That's a little bit weird.

In my opinion, any extra expiry e-mail is superfluous. It does NOT add anything functional to the already existing e-mails: the current e-mails are plenty.

1 Like

Death is coming... 20 days
Death is coming... 10 days
Death is coming... tomorrow
Death has come. Obituary?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.