SSL Certificate Expiry: How to Never Get Caught Off Guard
An expired certificate takes your whole site offline in an instant. Here is why it happens to careful teams and how to make it impossible.
There is a special kind of outage that hits careful, competent teams: the expired SSL certificate. One minute everything is fine; the next, every visitor sees a full-page browser warning and your traffic vanishes. No attacker, no bug, no deploy — just a date that slipped past. Here is why it keeps happening and how to make it impossible.
Why expiry catches good teams
Certificates are getting shorter. Free certificates from Let's Encrypt last 90 days, and the industry is moving toward even shorter lifespans. That means renewal is no longer an annual calendar reminder — it is a recurring task that must happen many times a year, on multiple domains and subdomains, often across servers set up by people who have since moved on.
- The person who set up auto-renewal left the company and nobody knew it needed watching.
- A renewal cron job failed silently weeks ago and no one was alerted.
- A subdomain or secondary domain was forgotten because the main site renewed fine.
- The certificate renewed but the new one was never reloaded into the running web server.
Auto-renewal is the right first step, but automation fails silently. You still want an independent monitor watching the actual expiry date as a safety net.
The two-layer defence
Reliable teams use two layers. The first is automation: a tool like certbot renews the certificate and reloads the server automatically. The second is independent monitoring: a separate system that checks the live certificate's expiry date from the outside and alerts you with plenty of warning if it gets close — typically at 30, 14 and 7 days out.
The reason both layers matter is that they fail in different ways. Automation fails silently and on the inside; monitoring sees what the world sees and shouts loudly. Together they cover each other's blind spots.
What good expiry monitoring looks like
- 1It checks the live certificate as a visitor's browser would, not a local copy.
- 2It watches every domain and subdomain, not just the apex.
- 3It alerts well in advance — days, not hours — through a channel you actually see.
- 4It confirms the renewed certificate is actually being served, catching the 'renewed but not reloaded' failure.
PatchPings watches your certificate from the outside and warns you before it expires, so a missed renewal stays a minor task instead of becoming a customer-facing outage.
Certificate expiry is the most preventable outage there is. The fix is not heroics; it is two simple layers — automate the renewal, and monitor the date independently. Put both in place once, and you will never again learn your site is down because of a calendar.
