What changed
FACT (per signal 1845 / r/sysadmin thread): Let's Encrypt announced it is discontinuing its free certificate-expiration reminder emails. HYPOTHESIS: a large, silent installed base leaned on those emails as their only renewal backstop.
Why now
The deprecation notice is published and sysadmins are already asking 'what do I use instead?' in real time β a rare, dated moment where a free safety net is withdrawn from a huge base simultaneously, concentrating demand into a short window.
Converging signals
Two bridges meet: a PLATFORM change (LE sunsets expiry emails) and a COMPLAINT/PAIN signal (r/sysadmin thread seeking replacements, cosine 0.881). That is a genuine convergence, but a shallow one β the 'forced chain' is real only for the subset who do NOT already auto-renew.
Customer pain
FACT (from the one PAIN item): sysadmins want 'simple tools or scripts to monitor cert expiry and send alerts.' The pain is fear of a silent expired-cert outage (browser TLS errors, downtime, customer trust hit). Intensity is moderate, not acute β it is a preventive/insurance pain, not a burning fire.
Who pays
Small IT shops, MSPs, and self-hosting SMBs without an enterprise cert-management platform. HYPOTHESIS (not evidenced in input): MSPs monitoring many client domains are the only segment with real willingness-to-pay; solo self-hosters will overwhelmingly reach for the free option.
Solved today
Auto-renewal (certbot/acme.sh cron β the actual root-cause fix), plus a crowded field of free monitors: uptime-kuma (self-hosted, free, has cert-expiry checks), SSLMate CertSpotter (free), UptimeRobot/StatusCake/Better Uptime free tiers, TrackSSL, Datadog/checkly for the upmarket. Many people just add a cron + curl script.
Why current solutions are bad
Self-hosting uptime-kuma requires a box and upkeep; free tiers cap monitors or bury cert checks; scripts rot silently. But these are mild frictions, not a gap an incumbent can't close in an afternoon β several already have cert-expiry as a checkbox feature.
Proposed product
Hosted watcher: paste domains/URLs (or point an ACME/webhook hook), it TLS-probes on a schedule and fires email/Slack/webhook/PagerDuty alerts at configurable 30/14/7/1-day thresholds. Add value beyond a probe: chain/intermediate expiry, wrong-host/mismatch detection, weak-protocol flags, and an MSP multi-tenant dashboard with per-client rollups and a white-label option.
MVP version
A Go/Python cron worker that does TLS handshakes against a domain list, stores notAfter dates, and sends threshold alerts via email + Slack webhook. Landing page with Stripe checkout and a paste-your-domains onboarding. Buildable in days on a $5 VPS + a transactional-email provider.
30-day build
Ship MVP; capture the LE-sunset moment: publish a 'Let's Encrypt is killing expiry emails β here's the 5-minute replacement' post targeted at r/sysadmin, r/selfhosted, HN Show, and relevant forum threads. Free tier (up to ~5 domains), paid above. Instrument conversion.
60-day build
Add the MSP multi-tenant view, white-label alerting, and cert-chain/mismatch checks β the features free single-user tools lack. Reach out directly to small MSPs; offer per-client pricing. Add API + Terraform/Ansible snippets so it slots into existing ops.
90-day revenue plan
Target $1β3k MRR from ~50β150 paying accounts skewed to MSPs at $15β49/mo (many domains) plus a long tail of $5β9/mo self-hosters. Realistic given the crowded field; treat as a modest cash product, not a breakout.
Distribution path
Content-at-the-moment (the LE sunset gives a news hook), r/sysadmin + r/selfhosted + HN, SEO on 'Let's Encrypt expiry email alternative', and direct MSP outreach. No ad spend needed. Sells through demonstrated value β fits the founder.
Pricing hypothesis
Freemium: free up to 5 domains; $9/mo solo (up to ~50 domains); $29β49/mo MSP/white-label (multi-tenant, unlimited-ish, priority channels). Card-today, no procurement.
Technical difficulty
Low. TLS probing, scheduling, and alert fan-out are well-trodden. The hard part is not tech but differentiation and distribution.
Legal / regulatory risk
Minimal. No PII beyond email + domain lists; no government portal; no licensure. Standard SaaS ToS/privacy.
Platform dependency
Low β probes public TLS endpoints, depends on no platform owner who could deplatform it. NOTE: it is thematically downstream of LE's decision but not technically dependent on LE.
Founder fit
Moderate. It is a micro-SaaS/monitoring tool (in his preferred zone) and AI-assisted-buildable fast, but it does NOT use his strongest edge (government-portal / forced-filer integration). No mandate, no forced buyer, no public-money flow β this is a discretionary insurance product in a commoditized category.
Breakout potential
Low-to-moderate. The category is a feature, not a company; upside is a tidy lifestyle cash-flow product or an MSP-focused niche, not a breakout. Expansion into broader 'ops hygiene monitoring' (domain expiry, DNS, uptime, cert) is possible but walks directly into UptimeRobot/uptime-kuma territory.
Final recommendation
WEAK PASS / SIDE-BET ONLY. It is real, cheap, and fast to build, and the LE sunset gives a genuine news-timed acquisition hook β but it lands in a commoditized category with strong free substitutes, a root-cause fix (auto-renewal) that erodes the market, and no forced buyer. If pursued, do it ONLY as a fast weekend build aimed squarely at MSPs (multi-tenant + white-label is the sole defensible wedge), ride the sunset news, and cap the time investment. Do NOT make it a primary focus over government-portal / forced-filer opportunities that fit the founder's proven edge far better.
Next action
Spend 2 hours validating the MSP angle: DM 10 small MSPs in r/msp and via LinkedIn asking how they currently track client cert expiry and whether they'd pay $29/mo for a white-label multi-tenant alerter. Only build if β₯3 say yes β otherwise skip.