Home 零对冲(ZeroHedge)每日HackerNews

LetsEncrypt–过期通知服务已结束
LetsEncrypt – Expiration Notification Service Has Ended

原始链接: https://letsencrypt.org/2025/06/26/expiration-notification-service-has-ended/

Let’s Encrypt于2025年6月4日停止发送证书过期通知电子邮件。这一决定是由用户越来越多地采用自动化、对存储数百万电子邮件地址的隐私担忧、成本节约以及降低基础设施复杂性的需要推动的。Let’s Encrypt认为,用于这些通知的资源可以在其他地方得到更好的利用。 鼓励希望继续收到过期通知的用户使用第三方服务,如Red Sift Certificates Lite,该服务提供多达250个证书的免费监控。Let's Encrypt已从其CA数据库中删除了之前为通知收集的电子邮件地址,以确保隐私。 今后,通过ACME API提供的任何电子邮件地址将不再与发布数据关联,而是转发到通用ISRG邮件列表系统。如果地址是新的,将发送一封包含订阅选项的入职电子邮件。用户可以订阅Let's Encrypt和ISRG邮件列表,以获取技术更新和新闻。

Let's Encrypt has discontinued its expiration notification service to save tens of thousands of dollars annually, which they believe can be better used elsewhere. They also cite privacy concerns related to storing millions of email addresses linked to certificate issuance records. The Hacker News discussion explores the implications, with some users suggesting alternative solutions like mobile apps or third-party monitoring services. Others argue that relying on LE's notifications is a bad practice and encourage setting up independent monitoring systems. Concerns were also raised about companies not donating to free initiatives like LE. Users highlight that LE's decision isn't solely about cost but also about minimizing data retention for privacy reasons. Some discuss the importance of certificate expiration for security and agility, while others debate the necessity of shorter certificate lifetimes and the challenges of automating certificate renewal.
相关文章
原文

Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us via the ACME API. This service ended on June 4, 2025. The decision to end the service is the result of the following factors:

  1. Over the past 10 years more and more of our subscribers have been able to put reliable automation into place for certificate renewal.
  2. Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us.
  3. Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.
  4. Providing expiration notifications adds complexity to our infrastructure, which takes time and attention to manage and increases the likelihood of mistakes being made. Over the long term, particularly as we add support for new service components, we need to manage overall complexity by phasing out system components that can no longer be justified.

For those who would like to continue receiving expiration notifications, we recommend using a third party service such as Red Sift Certificates Lite (formerly Hardenize). Red Sift’s monitoring service providing expiration emails is free of charge for up to 250 certificates. More monitoring options can be found here.

We have deleted the email addresses provided to Let’s Encrypt via the ACME API that were stored in our CA database in association with issuance data. This doesn’t affect addresses signed up to mailing lists and other systems. They are managed in a separate ISRG system unassociated with issuance data.

Going forward, if an email address is provided to Let’s Encrypt via the ACME API, Let’s Encrypt will not store the address but will instead forward it to the general ISRG mailing list system unassociated with any account data. If the email address has not been seen before, that system may send an onboarding email with information about how to subscribe to various sources of updates.

If you’d like to stay informed about technical updates and other news about Let’s Encrypt and our parent nonprofit, ISRG, based on the preferences you choose, you can sign up for our email lists below:

联系我们 contact @ memedata.com