I’ve been grateful for the expiration notices. The self-hosted PaaS tool I use sometimes gets confused and schedules renewal for after the expiration date, and the notices have saved me there.
I’m not sure of a convenient way to monitor expiration in my situation: I put my sites behind Cloudflare and use LetsEncrypt to secure the connection between Cloudflare and my server. This means public cert monitoring services can’t see my LetsEncrypt cert, and local monitoring tools have to ignore or override DNS.
I should probably submit a patch to the PaaS LetsEncrypt plug-in so it’s just one and done for all hosted sites.
https://sslmate.com/certspotter/ uses Certificate Transparency logs to spot and alert when a cert hasn’t been renewed. This doesn’t rely on your TLS server being publically accessible.
Alternatively, can you use CloudFlare Tunnels to secure the CloudFlare-to-server link, and avoid the need for you to manage TLS certs?
I’m not sure of a convenient way to monitor expiration in my situation: I put my sites behind Cloudflare and use LetsEncrypt to secure the connection between Cloudflare and my server. This means public cert monitoring services can’t see my LetsEncrypt cert, and local monitoring tools have to ignore or override DNS.
If it’s not something super-sensitive, then you could switch to Full instead of one of the stricter options. Then you can just use a self-signed certificate and Cloudflare doesn’t do any validation.
This makes me sad, but I understand wanting to focus funding in more useful places. I self-hosted quite a few services and accidentally broke my TLS-based renewal when I slid some of them behind a cloudflare proxy to combat AI bot scraping. One day, I got an email from cloudflare saying my certs will expire and figured it out. Without that, I likely would have just had things fail suddenly. I know UptimeRobot can do this check if I pay $6/mo but it seems a little steep to me. SSL mate is $15/mo. Idk, I wish they’d keep it as opt-in or something.
I use it as well. Very nice. I actively avoid nginx because it doesn’t have (didn’t have?) a built-in automatic acme client. Caddy, Apache and Traefik are fine.
Same here, but I want to note that if you use NixOS, it can automatically provision certificates with certbot by just setting a flag for either nginx or Apache, which is insanely convenient. I set this up once three years ago and never had to think about it again, it just works.
I worked in a company that monitored (and managed) like 2500 hosts, Linux and Windows, using Nagios. I worked on a kind of Nagios templating system so that adding a new host was quick. The engineers had it well interiorized that ANY http service monitor MUST be accompanied by a cert check. IIRC, Nagios’ check_http had this built-in.
Likewise, any domain had a procedure for proactive renovation reminders.
I did not realize at the time that this kind of discipline is rare. I was initially so surprised by expired certificates and domains, it took me a while to realize what was happening.
But, I still use Nagios, my certs have never expired :)
I have a pair of old domains where renewal automation is broken, and every 3 months, I manually renew and say “I really gotta automate this.”
…I guess we’ll find out if ending email notifications is the stick that gets me to do it.
I’ve been grateful for the expiration notices. The self-hosted PaaS tool I use sometimes gets confused and schedules renewal for after the expiration date, and the notices have saved me there.
I’m not sure of a convenient way to monitor expiration in my situation: I put my sites behind Cloudflare and use LetsEncrypt to secure the connection between Cloudflare and my server. This means public cert monitoring services can’t see my LetsEncrypt cert, and local monitoring tools have to ignore or override DNS.
I should probably submit a patch to the PaaS LetsEncrypt plug-in so it’s just one and done for all hosted sites.
https://sslmate.com/certspotter/ uses Certificate Transparency logs to spot and alert when a cert hasn’t been renewed. This doesn’t rely on your TLS server being publically accessible.
Alternatively, can you use CloudFlare Tunnels to secure the CloudFlare-to-server link, and avoid the need for you to manage TLS certs?
If it’s not something super-sensitive, then you could switch to Full instead of one of the stricter options. Then you can just use a self-signed certificate and Cloudflare doesn’t do any validation.
This makes me sad, but I understand wanting to focus funding in more useful places. I self-hosted quite a few services and accidentally broke my TLS-based renewal when I slid some of them behind a cloudflare proxy to combat AI bot scraping. One day, I got an email from cloudflare saying my certs will expire and figured it out. Without that, I likely would have just had things fail suddenly. I know UptimeRobot can do this check if I pay $6/mo but it seems a little steep to me. SSL mate is $15/mo. Idk, I wish they’d keep it as opt-in or something.
I must be the only one here using Apache’s
mod_mdto manage certificates. In the two years I’ve been using it, it has just worked.I use it as well. Very nice. I actively avoid nginx because it doesn’t have (didn’t have?) a built-in automatic acme client. Caddy, Apache and Traefik are fine.
Same here, but I want to note that if you use NixOS, it can automatically provision certificates with certbot by just setting a flag for either nginx or Apache, which is insanely convenient. I set this up once three years ago and never had to think about it again, it just works.
I worked in a company that monitored (and managed) like 2500 hosts, Linux and Windows, using Nagios. I worked on a kind of Nagios templating system so that adding a new host was quick. The engineers had it well interiorized that ANY http service monitor MUST be accompanied by a cert check. IIRC, Nagios’
check_httphad this built-in.Likewise, any domain had a procedure for proactive renovation reminders.
I did not realize at the time that this kind of discipline is rare. I was initially so surprised by expired certificates and domains, it took me a while to realize what was happening.
But, I still use Nagios, my certs have never expired :)