Convergence Radar Convergence Engine

← Feed

F

CertLapse β€” CT-Log-Driven Certificate Renewal Monitor

25/100

A subscription that watches your TLS certs for imminent expiry, ACME failures and chain breaks β€” and finds its own customers by scanning Certificate Transparency logs for domains whose only logged cert is about to lapse with no successor.

Kill. Β· created 2026-07-10 06:51 UTC

saasapiplatformcompliance monitorsrevisit later

Scorecard

newness 3/10
convergence 4/10
demand evidence 1/10
existing spend 3/10
solo feasibility 8/10
speed to mvp 8/10
speed to revenue 3/10
distribution 3/10
competitive gap 2/10
expansion 3/10
founder fit 4/10

Penalty flags
no clear buyer no urgent pain platform policy risk (βˆ’13 from raw 38)

Opportunity brief

What changed
FACT (per source signal 1845): Let's Encrypt is discontinuing its expiry-notification emails, removing the free safety net that reminded operators to renew. HYPOTHESIS: this raises renewal-failure risk for a large long-tail installed base.
Why now
FACT: the free reminder is going away and sysadmins are asking for replacements (per the referenced r/sysadmin discussion). INFERENCE: shortening certificate lifetimes (industry moves toward 90/47-day certs) make manual tracking progressively harder, so the pain compounds over time rather than resolving.
Converging signals
(1) Let's Encrypt dropping expiry emails; (2) Certificate Transparency logs publicly enumerate every issued cert with exact expiry dates β€” a ready-made prospect list; (3) shorter cert lifetimes. Only one primary source signal (1845) is provided; the rest are inference.
Customer pain
HYPOTHESIS: a site whose cert lapses gets hard-blocked by browsers (existential downtime). But the pain is heavily mitigated for the majority by ACME auto-renewal (certbot, Caddy, cloud load balancers), so the acute, unserved pain is concentrated in a minority of manually-managed or misconfigured setups. No demand_evidence was supplied to size this.
Who pays
HYPOTHESIS: small agencies, freelance sysadmins/MSPs, and SMB site owners running manually-issued or non-auto-renewing certs. Not enterprises (they already have monitoring/PKI tooling).
Solved today
FACT-adjacent: ACME clients auto-renew (certbot/Caddy/acme.sh); free/cheap monitors already exist (UptimeRobot, Uptime.com, StatusCake, Better Stack, RapidSSL/SSL-checker tools, Nagios/Prometheus blackbox exporter, and cert-expiry-specific SaaS like Certifytheweb, Keychest, TrackSSL, Red Sift Certificate Lifecycle). Let's Encrypt itself points users to third-party monitors.
Why current solutions are bad
INFERENCE: incumbents wait for inbound signup and don't do CT-log-driven outbound. That is the only genuinely novel mechanic here β€” but it is a go-to-market tactic, not a product moat, and the monitoring feature set itself is fully commoditized.
Proposed product
A micro-SaaS cert-health monitor (expiry countdown, ACME renewal-failure detection, chain/intermediate issues, multi-channel alerts) whose acquisition engine is a daily CT-log scan (Google/Cloudflare/Sectigo CT + crt.sh) that flags domains with an expiring cert and no logged successor, resolves an admin contact (WHOIS/RDAP, security.txt, hostmaster@), and runs opt-out-respecting outreach.
MVP version
Ingest CT logs via crt.sh / certstream, compute per-domain 'expiring soon, no successor logged' list, resolve contactable admins, and a simple monitoring dashboard + email/Slack alerts for signed-up domains. Validate the core TESTABLE PREDICTION first: does a one-day scan actually surface β‰₯50k such domains, and what fraction have a deliverable contact?
30-day build
Run the falsification test cheaply: scan CT logs for one day, measure how many domains truly have an expiring cert with no successor (guard against auto-renewal noise and pre-issued successors), and measure deliverable-contact rate. If the unrenewed count is tiny, KILL. Build a thin monitoring MVP in parallel.
60-day build
If the scan validates, send a small, compliant, personalized outreach batch (start well under 200, honor CAN-SPAM/GDPR, use warmed domain) and measure reply and trial-start rate. Instrument conversion honestly.
90-day revenue plan
HYPOTHESIS: if outreach converts, convert trials to $5–15/mo plans; also open inbound self-serve. Revenue in ~90–180 days is plausible only if the scan+outreach mechanic works; otherwise this is a slow inbound micro-SaaS in a crowded field.
Distribution path
Primary proposed channel = CT-log-driven cold outreach (high legal/deliverability risk, likely low response). Secondary = SEO/content ('what to do now that Let's Encrypt stopped expiry emails'), r/sysadmin, HN. The outbound channel is the risky, unproven core assumption.
Pricing hypothesis
HYPOTHESIS: $5–$19/mo per small account or per-domain tiers; competes against free/near-free monitors, so pricing power is weak.
Technical difficulty
Low-to-moderate. CT ingestion (certstream/crt.sh), successor-cert diffing, and alerting are all well-trodden. Solo-buildable.
Legal / regulatory risk
Moderate-to-high on the go-to-market: mass cold email to scraped WHOIS/RDAP contacts risks CAN-SPAM/GDPR/CASL violations, WHOIS access is rate-limited/redacted post-GDPR, and CT-log-based outreach can read as spam or reconnaissance. The product itself is low-risk.
Platform dependency
Moderate: depends on public CT logs (stable, mandated by browsers) and WHOIS/RDAP (degraded/redacted). No app-store gatekeeper.
Founder fit
MODERATE. This resembles the founder's compliance-monitor/data-product interests and is solo-buildable, BUT it is NOT the high-fit government-portal-mandate shape (lesson conf 0.80): there is no regulator compelling anyone to file, no per-filing transaction, and no forced buyer β€” the 'browser root programs as regulator' framing is an analogy, not a mandate with a deadline. Founder fit is limited by the cold-outbound sales motion, which conflicts with 'sells through demonstrated value, not relationship/outbound sales.'
Breakout potential
Low. Commoditized category with free incumbents; the only differentiator (outbound prospecting) is a copyable tactic, not defensible.
Final recommendation
WEAK / CONDITIONAL PASS β€” lean KILL. Do not build beyond the 30-day falsification test. The forced-buyer framing is an analogy, not a mandate; the category is commoditized; auto-renewal likely shrinks the real market; and the differentiating outbound channel is legally risky and off-profile for the founder. Only proceed if the one-day CT scan empirically surfaces a large, contactable set of genuinely-unrenewed domains AND a compliant outreach test converts β€” a low-probability outcome.
Next action
Run the cheap falsification experiment: a one-day crt.sh/certstream scan to count domains with an expiring cert and NO logged successor (filtering out auto-renew and pre-issued successors), and measure deliverable-contact rate. Kill if the unrenewed count or contact rate is low.

Kill arguments (adversarial)

Competitors

β€’ TrackSSL (link) β€” Dedicated SSL-expiry monitoring with alerts; direct low-cost incumbent.
β€’ Better Stack (Uptime) (link) β€” Uptime + SSL cert expiry monitoring bundled; strong free tier.
β€’ Red Sift Certificates / Keychest (link) β€” Certificate lifecycle discovery and expiry monitoring at scale.
β€’ UptimeRobot (link) β€” Popular free/cheap monitor including SSL expiry checks.
β€’ Certbot / Caddy (auto-renewal) (link) β€” Free ACME auto-renewal β€” the primary substitute that removes the pain entirely for most.

Source citations (facts)

β€’ Ending Expiration Emails (Let's Encrypt) β€” FACT (source signal 1845): Let's Encrypt is discontinuing expiration-reminder emails, removing the free renewal safety net.
β€’ crt.sh Certificate Transparency Search β€” CT logs publicly enumerate issued certificates with expiry dates, enabling a downloadable prospect list (basis for the proposed outbound mechanic).
β€’ r/sysadmin discussion (demand proxy referenced in hypothesis) β€” HYPOTHESIS/UNVERIFIED: sysadmins asking for replacements to Let's Encrypt expiry emails β€” upvote/comment volume cited as demand proxy but not supplied as evidence.

Actions