Fair enough, but people have off days. I take down my acme-dns server and forget to update the configs for all the systems that were using it; the email is a helpful reminder. And since most of those were internal systems, no external monitoring tool could tell me the certs were about to expire. Yeah, it's still my problem, but the emails actually are kind of helpful--if people actually read and understand them.
I assume that the some of the standard offerings out there ought to be able to monitor certificate transparency logs and thus give you notifications of pending expiration even on internal systems, but maybe I'm too optimistic about such things.
I was thinking more along the lines of checking the expiration date of the active certificates with a curl and sending an email if a specific threshold was reached.
So the problem with all of these solutions is that they are driving up the complexity of monitoring which increases the chance of the solution failing.
The lets encrypt expiry email acts as a fail safe that is much harder to break.
I should add that part of the justification 'we are doing this for privacy' doesn't really fly as anyone that is using a lets encrypt cert should also be subscribed to the technical notification emails. If people are doing the right thing (which some in this thread have used as an argument for removing the email notifications) then this change shouldn't result in a decrease in the number of emails held by let's encrypt.
For those interested in monitoring (and if required, notifications) for their certs we at Certify The Web prototyped some support for other ACME clients to report to our dashboard a while back.
I believe the concern is these emails are related to an ACME account and thus specific certs (domain names). You may not be concerned that LE knows this. But, LE may be concerned about having to disclose this to, um, outside agencies. If they don't have the info they can't disclose it
The new registration of emails for general info is different
the solution for that is that we make it an opt in/out option.
Given my domain registration requires an email address I really don't think LE would be a primary source for this type of info.
It's certainly had the occasional problem in the past, including sending email when it shouldn't and not sending when it should. (Those are just a couple examples, I vaguely remember there being more.) It's not a failsafe, and Let's Encrypt has called it "best-effort" for a long time, where they didn't want to make any promises about how well it might work.
But then you'd get similar notification false positives as today, like certificates that get updated with another SAN set, or switched from RSA to ECC, or issued by another CA altogether. Or a new certificate got issued, but not properly deployed. Etc... The most reliable way is to probe the actual endpoint(s) for its current certificate's validity lifetime.
It's not a failsafe, and Let's Encrypt has called it "best-effort"
There is a huge difference between the LE emails system not working for a day or two and an internal system failing.
LE has a dedicated team looking at these problems and millions of users reporting issues. When compared to an internal system, that probably everyone has forgotten even exists, there is no comparison in terms of reliability.
I can understand that LE has determined that the cost of these notifications outweigh the benefits, I have a number of questions around this part:
Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us.
Does that mean LE will completely remove email addresses from ACME accounts? This will mean ending not only expiration emails but also emails about potential future mass revocation events or potential future breaking changes like the one about ending OCSP must-stable support.
Will LE block ACME account creation or update requests that contain email addresses? Will existing clients fail to renew if they have configured an email address?
The Baseline Requirements has places where CAs are required to inform subscribers of specific events. How does LE plan to comply with that? Will LE use the ARI explanationURL for that if they no longer have email addresses? Will LE update their Subscriber Agreement to require all subscribers to monitor the ARI explanationURL?