Recently, Let’s Encrypt announced that they would no longer be sending out notification emails when certificates they’ve issued are about to expire:
Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us. We will be ending this service on June 4, 2025.
The short of it is that Let’s Encrypt wants people to be using mechanisms to automatically renew their certificates rather than relying on a manual process every 90 days which involves paying attention to email notifications, notifications which require infrastructure (and thus money) to send.
I can definitely understand Let’s Encrypt’s rationale here, and I generally leverage auto-renewing certificates. For a few scenarios, however, I have some things running that I still need to manually renew. It’s not ideal, but it makes sense for various reasons beyond the scope of this post. For those items, I still wanted some sort of notification so I’d be aware that a certificate is going to expire. The recommendation from Let’s Encrypt’s post is to swap to a service called Red Sift, so I figured I may as well give it a try.
After signing up for the service, Red Sift will ask what domain(s) it should be checking. By default it includes the TLD of your email address, so I simply removed that since it wasn’t relevant for what I wanted to monitor. I plugged in the 3 sub-domains that were important for me, and was given the message that it would take a little bit of time to pull them in.
I don’t know how long it actually took since I went off and did other things while this was happening in the background. Eventually I came back to Red Sift, though, and saw some nice little reports and widgets on my domains:
It’s important to note that Red Sift is not Let’s Encrypt-specific by any means; the fact that it can monitor the expiration time of certificates at a given domain just means it can fill the gap left behind when Let’s Encrypt stops offering that functionality. As such, some of the things included in the reporting won’t make sense from a Let’s Encrypt perspective, such as certificates expiring in more than 500 days… which will never happen for 90-day Let’s Encrypt certs.
By default, the out of the box email notifications for certificates are for 60 days, 14 days, and 3 days. Again, for a Let’s Encrypt certificate with a 90 day lifetime, getting a notice that it’ll expire in 60 days isn’t particularly useful, but the 14 and 3 day windows align more or less perfectly. If you want to control these yourself, you have to upgrade to a paid account, but I personally didn’t see a problem with the out of the box experience. The emails themselves are more or less the same as what Let’s Encrypt would send out previously. You see the domain, how many days are left on it, and that’s about it. It’s to the point and fills the gap nicely.