I think it’s a good idea, everyone should be automating this anyway.

  • argon@lemmy.today
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    3
    ·
    5 months ago

    Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year

    Not doubting them, but I don’t understand how that’s possible.

    Storing the email addresses and expiration dates takes an irrelevant amount of storage space, even if they had billions of cutomers.

    Sending the emails should also not cost thousands, even if a significant amount of customers regularly let their certificates expire (which hopefull isn’t the case).

    So where are the tens of thousands of yearly costs coming from?

    • Ajen@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      16
      ·
      5 months ago

      If they send 2 emails per subdomain per year, that could easily be 10s of millions which would make the cost per email measured in thousandths of a cent. And I could see the number of subdomains being larger by a factor of 10, maybe more.

      Another angle: someone with IT experience needs to manage the system that seems emails, and other engineers need to integrate other systems with the email reminder system. The time spent on engineering could easily add up to thousands per year, if not tens of thousands.

      I’m guessing their figure is based on both running costs and engineering costs.

    • Luci@lemmy.ca
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      5 months ago

      Transactional email services are about $15 per 10,000 emails. I’ll round down to $10 to consider b2b deals and let’s just say it’s $10,000 per year. That would be like idk 84k emails a month.

      Keep in mind this doesn’t consider the DB hosting and the processing of expiring emails and salaries, so yeah, I could see it.

      Edit: before anyone yells at me. I can’t math.

      • justcallmelarry@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        Not yelling, but pointing out, to people who also dont math, that if we assume $10 per 10k emails (or $1 per 1k, for simpler math), that’d be $84 for 84000 emails in a month, so you need to add another 0 to the figure (ie 840k emails in a month)

  • SkyNTP@lemmy.ml
    link
    fedilink
    English
    arrow-up
    10
    ·
    5 months ago

    I think it’s a good idea, everyone should be automating this anyway.

    This is still not possible in all scenarios. For example, wildcard certificates for DNS providers with no API support.

      • ramble81@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        5 months ago

        There are a lot of embedded systems that do not offer API support to swap out certificates. Things like switches, dvr, nas devices, etc.

        • rmuk@feddit.uk
          link
          fedilink
          English
          arrow-up
          8
          ·
          5 months ago

          Honestly in rare situations that a device like that needs to be accessible from the wild Internet I think it’d be mad to expose it directly, especially if it’s not manageable as you suggest. At the very least, I’d be leaning on a reverse proxy.

          • ramble81@lemm.ee
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            1
            ·
            5 months ago

            That implies though I don’t want valid certificates in my environment. I still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.

            • IsoKiero@sopuli.xyz
              link
              fedilink
              English
              arrow-up
              8
              arrow-down
              1
              ·
              5 months ago

              Valid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.

              • wildbus8979@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                5 months ago

                But then you have to distribute CAs to all the devices that will reach this service, and not all devices allow that.

                • IsoKiero@sopuli.xyz
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  5 months ago

                  True. And there’s also a ton of devices around which don’t trust LetsEncrypt either. There’s always edge cases. For example, take a bit older photocopier and it’s more than likely that it doesn’t trust on anything on this planet anymore and there’s no easy way to update CA lists even if the hardware itself is still perfectly functional.

                  That doesn’t mean that your self-signed CA, in itself, would be technically any less secure than the most expensive Verisign certificate you can find. And yes, there’s a ton of details and nuances here and there, but I’m not going to go trough every technical detail about how certificates work. I’m not an expert on that field by any stretch even if I do know a thing or two and there’s plenty of material online to dig deep into the topic if you want to.

            • cm0002@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              5 months ago

              still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.

              Is there a hard source with evidence that this is at all needed? Because there are a lot of things that “security departments” do that amount to security theater. Like forcing arbitrary password changes org wide.

              • ramble81@lemm.ee
                link
                fedilink
                English
                arrow-up
                3
                ·
                5 months ago

                Regardless of “hard evidence” it’s still the company policy. How well does it go over if you try to say “well acktuslly…” when it comes to password changes.

                • cm0002@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  5 months ago

                  How well does it go over if you try to say “well acktuslly…” when it comes to password changes.

                  Well, it went over easy, but I also gained the authority to implement or toss such policies when I took my job LMAO

                  In any case, I was referring to the “my environment” part since it implied you had such authority and were just choosing to emulate policies of others, ofc I don’t mean to make decisions you don’t have the authority to. Hard evidence is hard evidence though, it does give you a leg to stand on should you propose such changes

            • wildbus8979@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 months ago

              I’m with you, but that’s why I’m automating certificate expiry checking somewhere else (in my home assistant install to be exact).

        • ShortN0te@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          How are those devices affected by having no notification anymore? The manual labor exists anyway.

          Most network switches and devices have a web gui to switch them out. Those can be automated.

  • SirMaple__@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    5 months ago

    I manage all my certs using Cert Warden which has a dashboard that displays the expiry date. It does lack alerting, so I use Uptime-kuma to monitor the expiry dates of the certs. So not a big loss for me.

    • superglue@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 months ago

      I think thats the case for most of us. But for some like myself, it does mean I have to do the monitoring myself now. I can’t complain it was a free service. But it did warn me about a renewal problem before the cert expired, so it was a useful service for me.

  • merthyr1831@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    5 months ago

    Dietpi has an automatic letsencrypt recert service which could probably be ported since its just a whiptail script