SSL Certificate Monitoring: Why Expiry Alerts Save You

How to monitor SSL certificates to prevent expiry-related outages. Auto-renewal pitfalls, monitoring setup, and why every team needs certificate alerts.

· Project Helena · 4 min read ·
SSL monitoring security

An expired SSL certificate causes an instant, total outage. Browsers show a full-page security warning that blocks users from accessing your site. No gradual degradation, no partial failure — just a hard wall between your users and your service.

The worst part? It’s 100% preventable with monitoring.

Why Certificates Still Expire

“But I have auto-renewal enabled.” So did every team that’s had a certificate expiry outage. Auto-renewal fails for predictable reasons:

  • DNS changes — Moved DNS providers and broke ACME challenge verification
  • Firewall rules — Port 80 blocked, preventing HTTP-01 challenges
  • Credential rotation — API keys for DNS-01 challenges expired or were rotated
  • Server migration — Moved to a new server and forgot to set up renewal
  • Multiple certificates — Auto-renewal covers the main domain but not the API subdomain certificate
  • Renewal service down — Certbot, cert-manager, or the CA itself has issues during the renewal window

Auto-renewal is essential. But trusting it blindly without monitoring is how outages happen.

The Impact of Certificate Expiry

When an SSL certificate expires:

  1. Browsers block access — Chrome, Firefox, and Safari show a “Your connection is not private” warning
  2. API calls fail — HTTPS clients reject the connection (and they should)
  3. SEO drops — Google temporarily deindexes sites with invalid certificates
  4. Trust is damaged — Users who see security warnings may not come back
  5. Revenue stops — E-commerce checkout, SaaS login, API access — all blocked

Check your certificates right now with our SSL checker.

Setting Up Certificate Monitoring

What to Monitor

Every SSL certificate your organization uses:

  • Production domainswww.example.com, app.example.com
  • API endpoints — api.example.com
  • Internal services — If they use TLS (and they should)
  • Third-party integrations — CDN certificates, SaaS custom domains
  • Wildcard certificates — *.example.com

When to Alert

Set tiered alerts:

  • 30 days before expiry — Info alert. Verify renewal is scheduled
  • 14 days before expiry — Warning. If auto-renewal hasn’t run, investigate
  • 7 days before expiry — Urgent. Manual intervention likely needed
  • 1 day before expiry — Critical. Page the on-call engineer

What to Check Beyond Expiry

Certificate monitoring should also verify:

  • Certificate chain — All intermediate certificates are properly installed
  • Domain match — Certificate covers the domain being served
  • Key strength — RSA 2048+ or ECDSA 256+ bits
  • TLS version — TLS 1.2 minimum, TLS 1.3 preferred
  • HSTS header — Strict-Transport-Security is configured

Monitoring Tools

Built into Uptime Monitoring

The best approach is SSL monitoring integrated into your uptime monitoring tool. Warden checks SSL on every HTTP request automatically, alerting on upcoming expiry and configuration issues.

Dedicated SSL Monitoring

If your uptime tool doesn’t cover SSL:

  • SSLMate Cert Spotter — Certificate Transparency log monitoring
  • Keychest — Multi-domain SSL monitoring
  • Oh Dear — Comprehensive site health including SSL

DIY with Cron

A simple script to check certificate expiry:

#!/bin/bash
DOMAIN=$1
EXPIRY=$(echo | openssl s_client -connect "$DOMAIN:443" -servername "$DOMAIN" 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))


if [ "$DAYS_LEFT" -lt 14 ]; then
  echo "WARNING: $DOMAIN certificate expires in $DAYS_LEFT days"
fi

This works but misses certificate chain issues, domain mismatches, and configuration problems. Use proper monitoring for production.

Let’s Encrypt Specifics

Let’s Encrypt certificates expire every 90 days (by design, to encourage automation). This means:

  • Renewal should run at 60 days — Standard certbot behavior
  • A 30-day alert window works — You have 30 days to fix a failed renewal
  • Multiple renewal attempts — Certbot retries, but persistent failures need attention
  • Rate limits — Let’s Encrypt has rate limits. A misconfigured renewal loop can lock you out

Certificate Transparency

Certificate Transparency (CT) logs record every certificate issued for your domain. Monitor CT logs to detect:

  • Unauthorized certificates — Someone issued a certificate for your domain
  • Shadow IT — Internal teams provisioning certificates you don’t know about
  • CA compromises — Certificates issued without proper validation

Services like Cert Spotter and Facebook’s CT monitoring tool provide free CT log monitoring.

Related tools:

Related Posts

How to Monitor Website Uptime: 5 Methods Compared

Learn the five main methods for monitoring website uptime, from simple ping checks to full synthetic transactions. Find the right approach for your infrastructure.

Mar 4, 2026

What is Uptime? SLAs, Nines, and What They Actually Mean

Plain-language explanation of uptime, the nines system, SLAs, SLOs, and SLIs. What each level of availability actually means for your business.

Mar 4, 2026
← Back to all posts

Stay in the loop

Get notified about new posts, product updates, and engineering insights.

Join the waitlist →