How can I unsubscribe from certificate expiration notifications for a specific certificate?


We're using Let's Encrypt with the Posh-ACME client to provide us certificates to enable HTTPS traffic for a large number of websites we build, host and manage.

Sometimes, such a website is stopped and the domain name is canceled, or the domain name is not canceled but it's ownership is transferred to another individual or company (and after this, no longer under our management).

In this use case, we remove the website from our servers, and we also remove the Let's Encrypt certificate, as of course it has no further use.

I've noticed that Let's Encrypt sends email notifications for these certificates, but as we are not hosting the website any more, the email is of little value and needs to be ignored.

I was wondering whether it is possible at all to disable expiration notifications for a specific Let's Encrypt order?

I've asked this to the Posh-ACME developer; see issue #450 Let's Encrypt sends email notifications on orders that have been removed on GitHub.

Perhaps I should revoke the certificate to stop the expiration notifications? I do realize, however, that revoking a certificate is discouraged and should only be done if a certificate has been compromised, so I'd prefer not having to use this method.

Perhaps there's another way to unsubscribe?

Looking forward to read any insights on this.

Steven Volckaert


No, there is not a way to unsubscribe from a specific domain email reminder. But, there are only 3 reminders sent so they will stop fairly soon. They do not persist like often happens with purchased certs.

If this is a chronic problem, perhaps you could setup a rule in your email system to auto-delete these emails? For example, if an email with certain terms in the subject and a specific string in the body you could delete it. Could even look at the sender to further qualify.

Yes, revoking should be limited as you describe. (see mcpherrinm post below)


Revoking because the certificate isn’t under your management anymore is a perfectly reasonable thing to do in this scenario


Should one use the affiliationChanged or cessationOfOperation revocation reason? RFC 5280 doesn't really explain when to use what code.


This has recently been clarified in the new MRSP that prompted Upcoming changes to revocation reasons.

Let's Encrypt also now documents their new revocation policy here:

Let's Encrypt does not allow the usage of affiliationChanged in any case. You must use cessationOfOperation.

Let's Encrypt has discussed their reasoning for this on MDSP here:


Thank you all for your comments, they have been most helpful.

After reading the Revoking Certificates - Let's Encrypt page, it is clear now that I should revoke the certificate with reason cessationOfOperation.

I assume no notifications are sent after a certificate revocation, which is exactly what we want to achieve :+1:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.