SSL Certificate Expiration: How to Monitor and Avoid Downtime (2026)

What Happens When Your SSL Certificate Expires

An expired SSL certificate is one of the most embarrassing — and preventable — causes of website downtime. The moment a certificate expires, visitors to your site see a full-page browser warning:

"Your connection is not private. Attackers might be trying to steal your information from [yoursite.com]."

Most users immediately close the tab. Search engines like Google de-index or lower the ranking of sites with invalid certificates. API clients connecting to your service receive TLS errors and stop functioning. Revenue stops. Trust erodes.

The painful irony: this is 100% preventable with proper monitoring. SSL certificates don't expire without warning — they have a fixed expiry date that's visible months in advance. The problem is that teams forget to renew them.

How SSL Certificates Work (Brief Overview)

SSL/TLS certificates are digital credentials issued by Certificate Authorities (CAs) that:

1. Verify your website's identity (users can trust they're talking to the right server)
2. Encrypt traffic between the browser and your server (HTTPS)
3. Enable browser trust indicators (padlock icon, no security warnings)

Certificates have validity periods:

• Standard certificates (DV, OV, EV): Currently maximum 398 days (about 13 months) — set to reduce to 90 days in 2026
• Let's Encrypt free certificates: 90 days validity, typically auto-renewed via certbot every 60 days
• Wildcard certificates: Cover all subdomains, same validity periods

Why Certificate Expiry Still Happens in 2026

With auto-renewal widely available, why do certificates still expire? Common causes:

• Auto-renewal failed silently: certbot ran, but DNS validation failed or the server was misconfigured. Nobody noticed until the cert expired
• Manual renewal process: Teams that manually renew certificates forget, especially when the original team member has left
• Certificates bought through registrars: Annual renewal reminders go to an old email address or get filtered as spam
• Wildcard certificates on many subdomains: When one expires, all subdomains go down simultaneously
• Internal/staging certificates: Test environments use certificates that expire and break CI/CD pipelines
• Third-party services: CDNs, load balancers, or reverse proxies that manage their own certificates and don't alert you when they expire

How to Check Your SSL Certificate Expiry Date

There are several ways to check when your certificate expires:

Method 1: Browser

1. Visit your website in Chrome or Firefox
2. Click the padlock icon in the address bar
3. Click "Connection is secure" → "Certificate is valid"
4. View the "Valid until" date

Method 2: OpenSSL Command Line

echo | openssl s_client -servername yoursite.com -connect yoursite.com:443 2>/dev/null | openssl x509 -noout -dates

This shows notBefore and notAfter dates directly from the certificate.

Method 3: AlertSleep SSL Checker Tool

Use our free SSL certificate checker — enter your domain and instantly see the certificate expiry date, issuer, and remaining days.

Setting Up Automated SSL Expiry Monitoring

Manual checks are unreliable — the entire point is to automate this so you're alerted automatically before certificates expire. Here's how to set up automated SSL monitoring in AlertSleep:

1. Add a monitor for your domain in AlertSleep
2. SSL monitoring is enabled by default — AlertSleep checks the certificate expiry date on every check
3. Configure alert thresholds: AlertSleep alerts you at 30 days, 14 days, and 7 days before expiry by default
4. Configure alert channels: Add email for the 30-day warning, SMS for the 7-day warning

AlertSleep monitors the following SSL attributes on every check:

• Certificate expiry date and days remaining
• Certificate chain validity (intermediate certificates)
• Certificate hostname match (the cert covers the domain being monitored)
• TLS version (alerts if only deprecated TLS 1.0/1.1 is supported)

What to Do When a Certificate Is About to Expire

If you receive a "30 days remaining" alert, take action immediately:

For Let's Encrypt (auto-renewal)

1. SSH into your server and run: certbot renew --dry-run
2. If the dry run fails, check: DNS configuration, webroot path, and firewall rules (port 80 must be accessible for HTTP-01 challenge)
3. Fix the issue, then run: certbot renew
4. Verify the new expiry: certbot certificates

For Paid Certificates from a CA/Registrar

1. Log into your CA/registrar account and renew the certificate
2. Generate a new CSR if required
3. Install the new certificate on your server
4. Test with: openssl s_client -connect yoursite.com:443

SSL Monitoring for Multiple Domains

If you manage multiple domains or subdomains, manual SSL checking is impractical. AlertSleep monitors SSL certificates for all your domains in one dashboard — with individual expiry alerts per domain so you never miss a renewal across a portfolio of sites.

The free plan includes SSL monitoring on all 5 monitors. Paid plans allow monitoring 20–100 domains with 1-minute check intervals and SMS alerts for critical expiry warnings.

Start SSL monitoring free — no credit card required. Or use our free SSL certificate checker for a one-time check right now.