Your SSL certificate will expire and you wont notice until customers do

Your SSL certificate will expire and you won't notice until customers do

It happened to me last year. Let's Encrypt auto-renewal was set up, certbot was in cron, everything looked fine. Except the renewal failed silently because a DNS change pointed the domain to a different IP. Certbot couldn't complete the HTTP-01 challenge anymore. The cert expired on a Friday evening. I found out from a customer screenshot showing the browser warning page.

Took five minutes to fix. Took three hours to respond to support emails from people who thought the site was hacked.

What I do now

Check expiry dates weekly, automatically. Not monthly. Not "I'll remember." A script that hits each domain's port 443 and reads the certificate expiry:

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate

If it's under 14 days, alert me. Under 7, wake me up.

Monitor the actual renewal process. Certbot logs to /var/log/letsencrypt/letsencrypt.log. I grep for "failed" and "error" after each renewal run. Most people redirect cron output to /dev/null for certbot. Don't do that.

Test from outside. Your server thinks the cert is fine because it reads the local file. Test from an external location — what does a real browser see? SSL Labs has a free API for this, or just run a curl from a different machine.

Watch for certificate transparency logs. If someone issues a cert for your domain that you didn't request, that's a sign of compromise or misconfiguration. Google's CT log search and crt.sh let you monitor this.

The boring truth

SSL monitoring is one of those things that costs almost nothing to set up and saves you from a very public, very preventable failure. Every ops checklist includes it. Almost nobody does it until they get burned.

If you're running more than three domains, stop relying on "certbot handles it" and add actual monitoring. Future you will be grateful.