Certificate expiry is a top cause of avoidable downtime. The fix is straightforward: automate issuance/renewal, monitor expiry and chain health, and alert with enough lead time to react.
Related: DNS Monitoring 101 · Why SSL Still Breaks in 2025
The SSL lifecycle in 4 steps
- Issuance — via ACME (Let’s Encrypt) or commercial CA.
- Installation — on load balancers/CDNs/origin.
- Renewal — automatic via ACME or scheduled jobs.
- Monitoring — expiry date, SANs, chain validity.
See feature: SSL Monitoring.
What to monitor (beyond expiry)
- Days to expiry with escalating thresholds (30/14/7/3/1)
- Chain completeness (intermediates present)
- Hostname/SAN coverage
- TLS versions/ciphers (avoid deprecated sets)
- Revocation status
Automation patterns that work
- Use ACME clients (certbot, win‑acme, lego) with a recurring job.
- Terminate TLS at the edge where possible; rotate centrally.
- Keep staging and production renewal pipelines identical.
Common failure modes (and prevention)
- Cron dies or lacks permissions → monitor next‑renewal timestamp as well as expiry.
- Missing SAN on a new subdomain → block go‑live unless SANs updated.
- Chain file missing after rotation → validate via monitoring post‑deploy.
- Clock skew on hosts → NTP everywhere.
Alerting that gives you time
- Slack/Teams at 30 and 14 days
- Email owners at 7 days
- SMS/PagerDuty at 3 and 1 day
Tying DNS & SSL together
DNS changes precede many cert issues (new hostnames, moved edges). Run DNS and SSL checks together. See DNS Monitoring 101.
Put this into practice
Start monitoring in minutes. Email, Slack, Teams, Discord, PagerDuty, and SMS alerts.