Starting today (June 4th, 2025), Let's Encrypt will stop sending reminder emails for expiring HTTPS certificates. The announcement and reasons for this change were announced in this blog post. Here's what you need to know:
Certificate Renewal Reminders
Certificate automation doesn't end when you download a certificate. Renewing is critical because when a certificate expires it is no longer trusted by browsers and clients. Letting your site's certificate expire causes expensive and embarrassing downtime.
Automating certificate renewals is the most error prone part of certificate automation because it runs weeks or months after initial setup. A lot can change in the mean time, for instance:
DNS records and webserver configuration for ACME challenges can be silently overwritten.
Credentials for DNS providers can expire.
Additional certificates can trip account & domain rate limits.
Expiration emails from Let's Encrypt were a last ditch effort to alert you to take manual action. If you received an expiration notice email, it's because it did not automatically renew and will soon expire. Now that these emails are no longer being sent, you should take proactive measures to ensure automatic certificate renewals don't silently break.
Going Forward
You won't be getting renewal reminder emails from Let's Encrypt. If you relied on these to monitor certificate renewals, here are a few ways to stay on top of future certificate renewals.
Let's Encrypt supports ACME Renewal Information (ARI), which is supported by most major ACME clients today. Enabling ARI increases reliability of automated certificate renewals because these requests do not count towards Let's Encrypt rate limits, so other ACME automation for the same domain and account won't impact certificate renewals. However, be aware that expired DNS credentials and changes to ACME challenge configuration can still cause renewals to fail, even with ARI enabled.
Certificate Transparency (CT) logs let browsers and clients maintain trust in certificate issuers (aka Certificate Authorities or CAs). They are also a great way to monitor certificates in use for your domains. CT logs power sites like crt.sh, which provide a RSS feed of certificates and expiration dates. Other CT log based tools and APIs help with certificate monitoring.
Other ACME based CAs still send certificate renewal reminder emails, for example ZeroSSL sends “Certificate Expiring” emails 3 days prior to expiration. And thanks to uniformity of the ACME standard, switching CAs is a pretty minor change. There are tradeoffs with different CAs in terms of price, compatibility, and level of service, so choose a CA that meets your operational needs.
Putting it All Together
If you use Let’s Encrypt and haven’t ever noticed reminder emails, your certificate renewal automation is fine as-is. If you want renewal reminder emails and are willing to reconfigure your ACME client, an alternative CA may be your best bet. Either way, enabling ARI and adding CT log based monitoring is a quick & easy way to bolster your certificate renewal automation.
