SSL Certificate Monitoring: Never Let Certificates Expire
Learn how to monitor SSL certificates and get alerts before they expire. Avoid downtime and browser warnings with automated SSL monitoring.
Wakestack Team
Engineering Team
Who This Is For
This guide is for developers, DevOps engineers, and IT administrators who manage websites with SSL/TLS certificates. If you've ever been surprised by an expired certificate, this guide will help you prevent that.
Why SSL Certificate Monitoring Matters
Expired Certificates = Outages
When an SSL certificate expires:
- Browsers show scary warnings: "Your connection is not private"
- Users can't access your site: Most won't proceed past warnings
- APIs break: HTTPS requests fail with certificate errors
- Trust is damaged: Users question your security
- SEO suffers: Search engines may temporarily demote your site
It Happens to Everyone
Major SSL expiry incidents:
- Microsoft Teams (2020): Expired cert caused outage
- Spotify (2020): Certificate expired
- LinkedIn (2019): Multiple subdomain expirations
- Ericsson/O2 (2018): Expired cert caused network outage
Auto-Renewal Isn't Foolproof
Let's Encrypt and auto-renewal help, but can fail due to:
- DNS configuration changes
- Server permission issues
- Certbot/ACME client bugs
- Renewal job not running
- Email not reaching the right person
What SSL Certificate Monitoring Does
Active Monitoring
SSL monitoring checks:
- Certificate validity: Is it expired?
- Expiry date: When does it expire?
- Chain validity: Is the certificate chain complete?
- Certificate changes: Did it change unexpectedly?
Alert Thresholds
Typical alert schedule:
30 days before expiry → Warning email
14 days before expiry → Urgent alert
7 days before expiry → Critical alert
1 day before expiry → Emergency (if not fixed)
How SSL Monitoring Works with Wakestack
Built Into Uptime Checks
When you create an HTTPS monitor, SSL monitoring is automatic:
Monitor: https://example.com
Type: HTTPS
Interval: 1 minute
SSL Monitoring: Enabled automatically
├── Certificate expiry tracking
├── Alert at 30 days
├── Alert at 14 days
└── Alert at 7 days
What You See
SSL Certificate Status
├── Domain: example.com
├── Issuer: Let's Encrypt Authority X3
├── Valid from: Jan 1, 2026
├── Expires: Apr 1, 2026
├── Days remaining: 83 days ✓
└── Chain: Valid ✓
Alert Example
⚠️ SSL Certificate Expiring Soon
Domain: api.example.com
Expires: January 15, 2026 (14 days remaining)
Issuer: Let's Encrypt
Action required: Renew certificate before expiration.
Setting Up SSL Certificate Monitoring
Step 1: Create HTTPS Monitors
For each domain/subdomain:
- Add Monitor in Wakestack
- Enter HTTPS URL
- SSL monitoring enables automatically
Step 2: Configure Alert Thresholds
Default thresholds work for most:
30 days: Warning
14 days: Urgent
7 days: Critical
Adjust if you have slow renewal processes.
Step 3: Monitor All Endpoints
Don't just monitor example.com. Monitor:
https://example.com (main site)
https://www.example.com (www subdomain)
https://api.example.com (API)
https://app.example.com (application)
https://admin.example.com (admin panel)
https://cdn.example.com (if custom cert)
Step 4: Verify Alert Delivery
Test that alerts reach:
- The right email addresses
- Slack channels
- Anyone who can actually renew certs
SSL Monitoring Best Practices
1. Monitor All Subdomains
Each subdomain can have a different certificate:
*.example.com → Wildcard cert (one renewal)
api.example.com → Separate cert (separate renewal)
Monitor each endpoint you expose.
2. Set Earlier Warnings for Slow Processes
If certificate renewal requires:
- Manual approval
- Change management
- External vendor
Set warnings earlier:
60 days: Heads up
30 days: Warning
14 days: Urgent
3. Document Renewal Procedures
When the alert comes, know:
- Who is responsible
- What renewal process to follow
- How to verify success
4. Monitor Certificate Chains
A valid certificate with broken chain = browser warnings.
Full chain monitoring checks:
- Root certificate
- Intermediate certificates
- Your certificate
5. Track Certificate Changes
Unexpected certificate changes could indicate:
- Compromise
- Misconfiguration
- Someone else renewed incorrectly
Common SSL Issues and Detection
Issue: Expired Certificate
Symptoms:
- Browser shows "Not Secure"
- API calls fail
- Users report errors
Detection:
- SSL monitoring alerts before expiry
- Uptime monitoring detects HTTPS failure
Issue: Wrong Certificate
Symptoms:
- Browser shows name mismatch error
- "Certificate doesn't match domain"
Detection:
- SSL monitoring checks certificate matches domain
- Alerts on mismatch
Issue: Incomplete Chain
Symptoms:
- Works in some browsers, not others
- Mobile browsers fail
- API clients fail
Detection:
- SSL monitoring validates full chain
- Alerts on chain issues
Issue: Weak Certificate
Symptoms:
- Security scanners flag issues
- Browser warnings in newer versions
Detection:
- SSL monitoring checks key strength
- Alerts on weak configurations
Integration with Let's Encrypt
The Auto-Renewal Reality
Let's Encrypt certificates expire every 90 days. Auto-renewal typically runs:
Certbot checks 2x daily
Renews at 30 days before expiry
When Auto-Renewal Fails
Common failures:
- DNS validation fails (DNS changed)
- HTTP validation fails (wrong server)
- Permissions error (certbot can't write)
- Rate limited (too many requests)
- Service not restarted (old cert still served)
Why Monitoring Still Matters
Auto-renewal + monitoring = peace of mind
Day 60: Auto-renewal should run
Day 35: No renewal yet? Something's wrong
Day 30: Monitoring alerts: "Certificate expiring"
Day 30: You investigate and fix renewal
Day 25: Successfully renewed
Crisis averted ✓
SSL Certificate Monitoring Checklist
- All HTTPS endpoints monitored
- Alert thresholds configured (30/14/7 days)
- Alert recipients include whoever can renew
- Subdomains included
- Renewal process documented
- Test alerts verified working
- Auto-renewal status known per domain
Wakestack SSL Monitoring
SSL monitoring is built into HTTPS uptime checks.
Features:
- Automatic SSL tracking on HTTPS monitors
- Configurable expiry alerts
- Certificate chain validation
- Domain match verification
- Historical tracking
Included in:
- All plans (Free, Pro, Enterprise)
- No extra charge for SSL monitoring
Related Resources
Frequently Asked Questions
What happens when an SSL certificate expires?
Browsers show security warnings, block access, and users lose trust. APIs fail with certificate errors. Search rankings drop. It's essentially an outage for secure sites.
How often should I check SSL certificates?
Daily checks are sufficient for most sites. What matters is getting alerts 30, 14, and 7 days before expiry so you have time to renew.
Does Let's Encrypt auto-renewal mean I don't need monitoring?
Auto-renewal can fail silently (permissions, DNS issues, server problems). SSL monitoring catches these failures before they cause outages.
Related Articles
How to Monitor Website Uptime: A Complete Guide
Learn how to set up effective website uptime monitoring. This comprehensive guide covers tools, best practices, alert configuration, and how to respond to downtime incidents.
Read moreUptime Monitoring: The Complete Guide for 2026
Learn everything about uptime monitoring - what it is, why it matters, how to set it up, and which tools to use. A comprehensive guide for DevOps teams and developers.
Read moreBest Uptime Monitoring Tools in 2026: Complete Comparison
Compare the best uptime monitoring tools available in 2026. We analyze pricing, features, and use cases for Wakestack, Pingdom, UptimeRobot, Better Stack, and more.
Read moreReady to monitor your uptime?
Start monitoring your websites, APIs, and services in minutes. Free forever for small projects.