SSL certificate expiry is one of the most embarrassing production incidents you can have, because it's entirely predictable, entirely preventable, and yet it keeps happening — to small startups, to large enterprises, to companies that absolutely should know better.
The expiry date is stamped in the certificate. You can see it. It counts down. And yet certificates still expire in production, turning your HTTPS site into a browser security warning that drives users away.
Why it keeps happening despite auto-renewal
Let's Encrypt and certbot made free SSL certificates mainstream, and auto-renewal is supposed to solve the expiry problem. Set it up once, forget about it. Except:
- The certbot renewal cron job stopped running after a system update changed the cron configuration
- The renewal succeeded but the web server wasn't reloaded, so it kept serving the old expired cert
- The certificate renewed on server A, but you have three servers behind a load balancer and servers B and C didn't get the memo
- You moved from certbot to a different certificate source and the old renewal process now renews a certificate that nothing is serving
- The domain validation for renewal started failing because you changed your DNS provider three months ago and the old TXT records are gone
Auto-renewal is good. You should use it. But "auto-renewal is configured" is not the same as "auto-renewal will succeed forever." The renewal process itself can break in ways that are invisible until the certificate expires.
The other thing people forget: domain expiry
SSL gets all the attention, but domain expiry is equally devastating and even more predictable. Your domain has an expiry date in WHOIS. If it lapses, your entire site goes down — not just HTTPS, everything. No DNS resolution. Gone.
This happens when:
- The credit card on file with your registrar expired and the auto-renewal charge failed
- The renewal notification emails went to an old address or got caught in spam
- You acquired the domain years ago and simply forgot the renewal date
- The domain is owned by a former employee or contractor whose account is no longer accessible
How to set up SSL expiry monitoring
The right approach is to monitor the certificate expiry date itself, not rely solely on auto-renewal. You want an alert 30 days out, 14 days out, and 7 days out — enough runway to fix any renewal issues before they become emergencies.
Checking a certificate expiry date manually:
echo | openssl s_client -servername grabdiff.com -connect grabdiff.com:443 2>/dev/null | openssl x509 -noout -datesThat gives you the notAfter date. The question is who's running that check regularly and alerting when the margin gets thin.
GrabDiff monitors SSL and domain expiry automatically for every URL you add. You get an alert when either is within 30 days of expiring — no scripts, no cron jobs, no remembering to check. It runs alongside the visual screenshot monitoring, so you get both "is the page working" and "will the page keep working" coverage from one place.