As an other option, you install a cron job on your server, and send push notifications via pushover or ntfy.sh whenever it fails to renew.

Pushover is $5 once for personal use, ntfy.sh can be completely self-hostable if you prefer.

I have written a small tool which utilizes pushover for these reasons.

You can receive the notifications on your browser/mobile for free afterwards.

Or just a cronjob that fetches the tls certs and look at the expiration date and then send a mail or X.

So it's even work if you don't have control about the le client.

Exactly this. Don't look at the renewal proces, look at its output. It'll work for all certificate sources and catch other potential errors too (eg the webserver reporting success but not presenting the new certificate)

That'll work too. The idea was to put your own infra in place if you really need that, and it's not very hard to do it, even with completely self-hosted stack.

I imagine this is best left to third parties like the recommended service linked in the post. I assume that there's also a whole deluge of other services that have similar offerings.

what's the cost of sending notifications via mobile app? cheaper than email?

Mobile app? Now they need to develop that, keep up to date with OS version changes, and far far worse, support end users and their bugs?

And worse of all, worry about Apple and Google's arbitrary rejections?

This seems far more costly than email. Just having one dev keeping those apps going, is likely 20x or more than their email costs per year.

at least for iOS there are no costs associated with using Apple Push Notification Service (APNS) but depending on the way you use it you either need to pay for the infrastructure that sends your notifications to Apple or for a service like OneSignal which does that for you. Not sure what the volume of LE is but I am pretty sure it's a smart move to focus on their core "business" (providing certificates) and let other handle expiration notifications.