Introducing scadere, a TLS cert renewal reminder

Introducing scadere, a TLS cert renewal reminder

[Nguyễn Gia Phong]

[-- Attachment #1: Type: text/plain, Size: 4213 bytes --]

Greetings,

On 2025-06-26, Josh Aas wrote on Let's Encrypt's blog [0]:
> Since its inception, Let’s Encrypt has been sending
> expiration notification emails to subscribers
> that have provided an email address to us via the ACME API.
> This service ended on June 4, 2025. [...]
>
> For those who would like to continue
> receiving expiration notifications,

From Let's Encrypt's documentation for Monitoring Service Options [1]:
> There are a number of monitoring options out there, including:
> * Red Sift Certificates Lite
> * UptimeRobot
> * Datadog SSL Monitoring
> * TrackSSL
> * Host-Tracker

I must say I am rather disappointed that all listed options are SaaSS
with questionable privacy policies.

While there are free and self-hostable solutions such as UptimeKuma [2],
they, like the services listed above, use the "push" model
for notification and share the inherent limitations
that caused Let's Encrypt to shut down its notification service:

On 2025-06-26, Josh Aas continued to write on Let's Encrypt's blog [0]:
> The decision to end the service
> is the result of the following factors:
>
> 1. Over the past 10 years more and more of our subscribers
>    have been able to put reliable automation into place
>    for certificate renewal.
> 2. Providing expiration notification emails
>    means that we have to retain millions of email addresses
>    connected to issuance records.  As an organization
>    that values privacy, removing this requirement is important to us.
> 3. Providing expiration notifications costs Let’s Encrypt
>    tens of thousands of dollars per year, money that we believe
>    can be better spent on other aspects of our infrastructure.
> 4. Providing expiration notifications adds complexity
>    to our infrastructure, which takes time and attention to manage
>    and increases the likelihood of mistakes being made.
>    Over the long term, particularly as we add support
>    for new service components, we need to manage overall complexity
>    by phasing out system components that can no longer be justified.

Therefore, and not at all an excuse for me to cook up
an HTTP server from scratch, we (and by _we_, I mean _I_)
at loang.net had decided to sponsor the development
and operation of scadere [3], a TLS certificate renewal reminder
that uses the "pull" notification model.  This decision
is heavily inspired by public-inbox, the software
that propagates the very message you are reading.

Since TLS certificates are public, there is no reason to collect
people's email address as a form of access control.  Instead,
scadere serves Atom feeds that anyone can subscribe to.
Not only this is so much cheaper for hosters as it does not involve
a full-blown messaging service like SMTP et al, subscribers also
needn't rely on any third party.

Subjectively, I think scadere is ready for an open beta.
Some features ought to be missing and there must remain many bugs,
but the main use case should be covered.  I am currently running
an instance at https://thay.giao.loan for domain names hosted
by loang.net.  Until the end of this month (2025-07),
the expiration window shall be 90 days to catch all certificates
issued by Let's Encrypt.

If you want to participate in the beta of this service,
please respond with the domain names of interest.
After the initial real-world testing, the window will be brought down
to something more reasonable like 7 or 10 days.  (The service
may also be moved under loang.net after this experimental phase.)

If you are interested in hosting the service yourselves,
please check out the project's homepage [3]. I am working
on packaging it for NixOS and Guix System, and I humbly ask
you to do the same for your distribution.  Scadere has
no run-time dependency other than a Python 3.11+ implementation,
although it requires a couple others for building and testing.

We are looking forward to your feedback.

0: https://letsencrypt.org/2025/06/26/expiration-notification-service-has-ended
1: https://letsencrypt.org/docs/monitoring-options
2: https://github.com/louislam/uptime-kuma
3: https://trong.loang.net/scadere

~cnx

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 248 bytes --]