From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from tem.loang.net (localhost [IPv6:::1]) by brno.localdomain (Postfix) with ESMTP id 808332C7775 for ; Tue, 01 Jul 2025 11:57:48 +0000 (UTC) Received: by tem.loang.net (envelope-sender ) with ESMTPS id 01253b24; Tue, 01 Jul 2025 11:57:57 +0000 Mime-Version: 1.0 Content-Type: multipart/signed; boundary=53cdfebf9cd43d64a25db0aafdfa9f96e99fb8b154130b9a1e624dd57305; micalg=pgp-sha512; protocol="application/pgp-signature" Date: Tue, 01 Jul 2025 20:57:46 +0900 Message-Id: Subject: Introducing scadere, a TLS cert renewal reminder To: From: =?utf-8?q?Nguy=E1=BB=85n_Gia_Phong?= Content-Transfer-Encoding: quoted-printable X-Mailer: aerc 0.20.1 List-Id: --53cdfebf9cd43d64a25db0aafdfa9f96e99fb8b154130b9a1e624dd57305 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Greetings, On 2025-06-26, Josh Aas wrote on Let's Encrypt's blog [0]: > Since its inception, Let=E2=80=99s Encrypt has been sending > expiration notification emails to subscribers > that have provided an email address to us via the ACME API. > This service ended on June 4, 2025. [...] > > For those who would like to continue > receiving expiration notifications, >From Let's Encrypt's documentation for Monitoring Service Options [1]: > There are a number of monitoring options out there, including: > * Red Sift Certificates Lite > * UptimeRobot > * Datadog SSL Monitoring > * TrackSSL > * Host-Tracker I must say I am rather disappointed that all listed options are SaaSS with questionable privacy policies. While there are free and self-hostable solutions such as UptimeKuma [2], they, like the services listed above, use the "push" model for notification and share the inherent limitations that caused Let's Encrypt to shut down its notification service: On 2025-06-26, Josh Aas continued to write on Let's Encrypt's blog [0]: > The decision to end the service > is the result of the following factors: > > 1. Over the past 10 years more and more of our subscribers > have been able to put reliable automation into place > for certificate renewal. > 2. Providing expiration notification emails > means that we have to retain millions of email addresses > connected to issuance records. As an organization > that values privacy, removing this requirement is important to us. > 3. Providing expiration notifications costs Let=E2=80=99s Encrypt > tens of thousands of dollars per year, money that we believe > can be better spent on other aspects of our infrastructure. > 4. Providing expiration notifications adds complexity > to our infrastructure, which takes time and attention to manage > and increases the likelihood of mistakes being made. > Over the long term, particularly as we add support > for new service components, we need to manage overall complexity > by phasing out system components that can no longer be justified. Therefore, and not at all an excuse for me to cook up an HTTP server from scratch, we (and by _we_, I mean _I_) at loang.net had decided to sponsor the development and operation of scadere [3], a TLS certificate renewal reminder that uses the "pull" notification model. This decision is heavily inspired by public-inbox, the software that propagates the very message you are reading. Since TLS certificates are public, there is no reason to collect people's email address as a form of access control. Instead, scadere serves Atom feeds that anyone can subscribe to. Not only this is so much cheaper for hosters as it does not involve a full-blown messaging service like SMTP et al, subscribers also needn't rely on any third party. Subjectively, I think scadere is ready for an open beta. Some features ought to be missing and there must remain many bugs, but the main use case should be covered. I am currently running an instance at https://thay.giao.loan for domain names hosted by loang.net. Until the end of this month (2025-07), the expiration window shall be 90 days to catch all certificates issued by Let's Encrypt. If you want to participate in the beta of this service, please respond with the domain names of interest. After the initial real-world testing, the window will be brought down to something more reasonable like 7 or 10 days. (The service may also be moved under loang.net after this experimental phase.) If you are interested in hosting the service yourselves, please check out the project's homepage [3]. I am working on packaging it for NixOS and Guix System, and I humbly ask you to do the same for your distribution. Scadere has no run-time dependency other than a Python 3.11+ implementation, although it requires a couple others for building and testing. We are looking forward to your feedback. 0: https://letsencrypt.org/2025/06/26/expiration-notification-service-has-e= nded 1: https://letsencrypt.org/docs/monitoring-options 2: https://github.com/louislam/uptime-kuma 3: https://trong.loang.net/scadere ~cnx --53cdfebf9cd43d64a25db0aafdfa9f96e99fb8b154130b9a1e624dd57305 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEABYKACwWIQSDiv4NVdwHTjYPlDqEtpzm8/a3ZwUCaGPNPA4cY254QGxvYW5n Lm5ldAAKCRCEtpzm8/a3Z3vYAPd3oSOGzD7FzFREyxV1kbOR2Se9ROHsu7/glGMr NAx/AQCEZidTNy837MBbdwuXMODwxu7MiztWTxvSZXpBAua3Ag== =urtj -----END PGP SIGNATURE----- --53cdfebf9cd43d64a25db0aafdfa9f96e99fb8b154130b9a1e624dd57305--