Let's Encrypt no longer emails you before your certificate expires
Verified 17 Jul 2026
On June 4, 2025, Let's Encrypt sent its last certificate expiration notification email. If you relied on those emails — and 762 million websites' worth of people did — nothing warns you anymore when a renewal quietly fails.
Their advice was blunt: sign up for a third-party monitoring service.
Why this matters even with auto-renew: renewal automation fails silently. A DNS challenge breaks after a provider change. A rate limit hits. certbot renews but nginx never reloads, so the server keeps serving the old certificate while your logs say success. The old emails were how thousands of people found out their automation had been broken for weeks. That safety net is gone.
It is about to matter more: certificate lifetimes are dropping from 398 days to 200 in March 2026, then 100, then 47 days by 2029. Shorter certificates mean renewals happen 9x more often — and every renewal is a chance for the automation to fail.
What to do now:
1. Put your domains into a monitor that checks the certificate your server actually serves — not your renewal logs, and not CT logs (CT-based expiry alerts fire on certificates you already replaced; people switching to the CT-based services have been drowning in false positives).
2. Make sure it validates the full chain and the hostname, not just the leaf expiry date.
3. Send the alerts somewhere your team actually looks: email or your own webhook.
CertPost does exactly this. Paste a domain on the homepage and you'll see the full report — chain, hostname, expiry — in about two seconds, without creating an account. Three certificates are free forever (your apex, www, and API), checked daily, with all alert channels included. Beyond three, Personal is $9/month for up to 100 certificates, and Team is $29/month with unlimited certificates.
Sign in to read the full comparison.
Get started