hub MarionetteOps Monitor orchestration
arrow_back Blog

How to Stop SSL Certificate Expirations From Surprising You

Expired SSL certificates are entirely preventable. They still take down production sites every week because manual renewal processes fail silently.

Why certificates still expire in 2026

Modern certificate tooling — Let's Encrypt, AWS Certificate Manager, managed renewal pipelines — has made automatic renewal the default for most setups. Despite this, certificate expirations remain one of the most common causes of unexpected downtime.

The failure modes are predictable:

  • Auto-renewal was set up once, then the server was migrated and the cron job did not follow
  • The renewal succeeded but the web server was never reloaded, so the old certificate stayed loaded in memory
  • A certificate was manually managed for a legacy service that nobody touched in two years
  • The renewal process requires a DNS challenge that broke when the DNS provider changed

Automation reduces the failure rate. Monitoring catches the failures that slip through.

What certificate monitoring checks

An SSL monitor goes beyond "is the site up." It connects to the host, reads the presented certificate, and checks:

  • Expiration date: How many days remain before the certificate expires
  • Chain validity: Whether the certificate chain is complete and trusted
  • Hostname match: Whether the certificate covers the domain being requested
  • Issuer: Whether the certificate was issued by a trusted authority

Each of these can fail independently. A certificate can be valid but not match the hostname. A renewed certificate can be correctly installed but have a broken chain.

When to alert

Alert at 30 days. That is enough runway to renew manually if automation fails, escalate if there is a renewal blocker, and verify the fix without urgency.

Alert again at 14 days and 7 days. If you have reached 7 days remaining on a certificate you manage, something in your renewal process has been broken for weeks and you want that to be loud.

Do not wait for the expiration itself. At zero days, the outage has already started.

Domain expiration is the same problem

A domain that expires takes everything offline simultaneously — the website, email, API endpoints, everything. Domain registrar renewal reminders are notoriously easy to miss: they go to an old email address, get filtered as spam, or arrive while whoever handles renewals is on leave.

Independent domain expiry monitoring, run from outside your own infrastructure and routed to your ops alert channel, creates a backstop that does not depend on the registrar's email.

Watch for nameserver changes

Nameserver changes are a subtler signal. They are expected when migrating DNS providers, but they are also a reliable early indicator of domain hijacking attempts. Monitoring for unexpected nameserver changes gives you an alert that something has changed in your DNS infrastructure before the downstream effects appear.

The check is simple — compare the current nameservers against the expected set — but the signal it provides is one that most teams lack entirely.