SSL Certificate Expiry: The Outage You Can Prevent With One Setting

SSL Certificate Expiry: The Outage You Can Prevent With One Setting

Why certs still expire in the age of Let's Encrypt

Let's Encrypt made free 90-day certificates the default. Automation like certbot and cert-manager renews them without human involvement. And yet, every month, another well-known service goes dark for hours because a certificate expired. Why?

Because renewal automation is a system, and systems fail quietly. The certbot cron gets removed during a server migration. The cert-manager pod OOMs and stops reconciling. The DNS provider rate-limits the ACME challenge. A wildcard cert covering a subdomain nobody remembers stops renewing when the validation record gets cleaned up.

The renewal ran successfully for two years. Then it didn't. Nothing alerted, because the automation itself was the 'monitoring.'

External expiry monitoring is the safety net

The fix is to monitor the certificate from the outside — the same view your users' browsers get. An external check hits your domain over TLS, reads the leaf certificate's notAfter field, and warns you as expiry approaches. If your renewal automation silently broke, the external check catches it while you still have days to fix it.

This is independent of whichever renewal system you use. It works for Let's Encrypt, ACM, DigiCert, self-signed internal CAs — anything a TLS client can inspect.

The alert schedule that actually works

PingHarbor's SSL monitoring notifies at 30, 14, 7, 3, and 1 days before expiry. This cadence is deliberate:

30 days: heads-up for renewal work to be scheduled during business hours. 14 days: something is wrong with automation — investigate. 7 days: escalate to on-call. 3 days: page the team lead. 1 day: emergency.

A single '2 weeks out' alert isn't enough because it competes with everything else in your inbox. Repeated escalating alerts break through the noise, and by the 7-day mark it's impossible to ignore.

What to monitor beyond expiry

Certificate chain validity

A cert can be within its validity window but still fail in browsers because an intermediate CA changed. Modern monitoring validates the full chain against the standard trust store, not just the leaf date.

Hostname mismatch

Renewals occasionally reissue certs with the wrong SAN list — a wildcard becomes a single hostname, or a domain gets dropped. Check that the cert actually covers the hostname you're monitoring.

Domain expiry

Certificates are worthless if the underlying domain expires. WHOIS-based domain expiry monitoring lives alongside SSL monitoring in PingHarbor and follows the same escalation schedule. Losing a domain is significantly harder to recover from than losing a certificate — it deserves the same attention.

Set it once, forget it responsibly

Turn on SSL and domain expiry monitoring for every public hostname you own — including staging, internal tools, and legacy subdomains you're 'pretty sure' still auto-renew. The one you don't monitor is the one that will take you down.