Let’s Encrypt, the world’s leading certificate authority, announced a significant operational change that took effect on June 4, 2025. The organization ceased sending SSL certificate expiration notifications, marking a decisive shift toward fully automated certificate management processes.
Strategic Shift Toward Automation and Resource Optimization
This decision reflects the evolving landscape of digital certificate management, driven by two primary factors. First, the widespread adoption of automated certificate renewal systems has made email notifications increasingly redundant. Second, the notification infrastructure incurred substantial operational costs, estimated at tens of thousands of dollars annually, which Let’s Encrypt is reallocating to core service improvements.
Enhanced Privacy and Infrastructure Streamlining
By eliminating the need to maintain millions of email addresses associated with certificate issuance, Let’s Encrypt has substantially reduced its data footprint and strengthened privacy protections. This architectural simplification aligns with contemporary data minimization principles consistent with frameworks like OWASP’s security guidelines.
Who Is Affected by This Change
The following groups are directly impacted by the end of expiration email notifications:
- Website administrators who relied solely on Let’s Encrypt email alerts to track certificate renewal deadlines
- Small businesses and individuals running manually renewed certificates without a configured ACME client
- Developers managing multiple domains where certificate expiry was tracked informally via inbox alerts
- Organizations using older ACME clients (Certbot versions below 1.x) that do not perform automatic renewal
What to Do: Configure Automated Renewal and Monitoring
- Configure Certbot or another ACME client for automatic renewal — run
certbot renew --dry-runto verify your setup is working before the cutover date - Set up a cron job or systemd timer to invoke
certbot renewat least twice daily (the recommended schedule) - Use Red Sift Certificates Lite (free tier covers up to 250 certificates), Datadog SSL monitoring, or TrackSSL to receive independent expiry alerts outside the CA infrastructure
- For Nginx/Apache deployments, confirm your renewal hooks reload the web server after a successful renewal to avoid serving expired certificates
- Monitor certificate transparency logs via
crt.shto independently verify that new certificates are being issued for your domains
HTTPS Adoption Trends
Let’s Encrypt’s statistics show remarkable growth in HTTPS adoption, with daily certificate issuance reaching 8 million as of December 2024. The percentage of HTTPS-protected web pages reached 82% as of January 2025 — a testament to the organization’s impact on web security infrastructure over the past decade.
The end of expiration emails is not a removal of service — it is a signal that certificate automation has matured enough that manual tracking should no longer be the default. Administrators who have not yet deployed automated renewal should treat this change as the final prompt to do so.
