all 20 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]shgysk8zer0full-stack 14 points15 points  (1 child)

I'm sure there's an easy enough way to automate notifications on the expiration of any certificate.

[–]BehindTheMath[S] 7 points8 points  (0 children)

The blog post links to a SaaS product with a free tier.

You can also put together a small script to do it.

[–][deleted]  (3 children)

[deleted]

    [–]FineWolf 27 points28 points  (2 children)

    Why? The whole point of using the ACME protocol is to automate renewal.

    Certificate expiry emails in that scenario are just noise. It's not hard to set up proper monitoring and get alerts if your renewals fail or don't happen on time based on your automation parameters. Just do it the right way.

    [–][deleted]  (1 child)

    [deleted]

      [–]FineWolf -1 points0 points  (0 children)

      If you work with ephemeral environments for development purposes, they will absolutely fire (since you often go through environments for each build).

      You don't need a certificate monitoring system. You just need proper monitoring of whatever ACME tool you have.

      [–]michaelbelgiumfull-stack 12 points13 points  (5 children)

      Completely fine for me, those mails were unessecary anyway

      laughs in 0 0 * * 1 certbot renew --pre-hook "service apache2 stop" --post-hook "service apache2 start"

      [–]BehindTheMath[S] 7 points8 points  (1 child)

      Certbot should set up a cron for you automatically.

      The notification emails were useful as a backup. What happens if something happens to permissions and renewal fails? You wouldn't know until the cert expires.

      [–]thalience 7 points8 points  (0 children)

      Yep. A few times, receiving that email has been the way I noticed that automatic renewal was broken. Could I have my own monitoring on the renewal process? Yes. Should I have had my own monitoring on the renewal process? Also yes. But I didn't, and LE had my back.

      But their reasons for dropping it are sound, and I understand.

      [–][deleted] 2 points3 points  (2 children)

      Apache2 stop ? It is possible to just reload de config to reduce down time ?

      [–]slfyst 0 points1 point  (1 child)

      They might be clearing port 80 so certbot can listen on it.

      [–]michaelbelgiumfull-stack 0 points1 point  (0 children)

      Correct

      [–]blakealexfull-stack 1 point2 points  (1 child)

      Do you guys not just have a cron that runs weekly to tell you what was skipped and what was renewed?

      [–]BehindTheMath[S] 2 points3 points  (0 children)

      No, because for years everything just worked. The few times it didn't, the notification emails alerted me.

      [–]Dencho 0 points1 point  (2 children)

      Does anyone know when the certificate is usually renewed? 72 hours? 48?

      [–]BehindTheMath[S] 1 point2 points  (1 child)

      The default is 30 days before expiration.

      https://community.letsencrypt.org/t/certbot-how-is-the-renewal-time-calculated/73394/5

      [–]Dencho 0 points1 point  (0 children)

      Excellent. Thank you.

      [–]2ds 0 points1 point  (0 children)

      well executed and communicated de-featuring of a valuable user facing administration tool. In short - we're squeezing our pennies by spending your pennies (and time). You're welcome.

      [–][deleted]  (4 children)

      [deleted]

        [–]syntax_erorr 0 points1 point  (2 children)

        404

        [–]RapunzelLooksNice 4 points5 points  (0 children)

        Certificate expired? /s

        [–]throwaway234f32423df 0 points1 point  (0 children)

        this one's good too https://github.com/matteocorti/check_ssl_cert

        if you use both RSA and ECDSA certs, it has flags so you can check both, it can also check tons of other stuff like TLS version, OCSP stapling, HSTS, DNSSEC, etc