How do I monitor a free SSL certificate so it does not silently expire?

Auto-renewal can fail silently when DNS changes, ports get blocked, or a config drifts. Certimon sends free Telegram reminders before any certificate expires. Send /remind example.com 30 to @CertimonBot to get a Telegram alert 30 days before expiry — works for Let's Encrypt, ZeroSSL, Buypass, Cloudflare and any publicly served HTTPS certificate.

Free SSL guide • 2026

Free SSL Certificate Providers Compared

Q: What is the best free SSL certificate?

For most websites the best free SSL certificate is Let's Encrypt, issued automatically via certbot, Caddy, Traefik or your hosting platform. It supports free wildcards via DNS-01, is trusted by every browser, and renews itself every 90 days. Pick Cloudflare Universal SSL instead if your site is already proxied through Cloudflare (zero setup), ZeroSSL if you want a web UI, or Google Trust Services if you need a second free ACME issuer for redundancy. Squarespace, Wix, Shopify and most hosted website builders include a free SSL certificate automatically, so you do not need to install anything separately.

Q: Who provides free SSL certificates?

The main free SSL certificate authorities are Let's Encrypt, ZeroSSL, Buypass Go SSL and Google Trust Services. Cloudflare also provides free Universal SSL for any domain proxied through Cloudflare. All four CAs issue Domain Validation certificates trusted by every major browser.

Q: Is a free SSL certificate as secure as a paid one?

Yes. A free DV certificate from Let's Encrypt or ZeroSSL uses the same TLS encryption and the same browser trust roots as a paid DV certificate. The differences are in validation level (DV vs OV vs EV), warranty and support — not in cryptographic strength.

Q: Which free SSL provider supports wildcard certificates?

Let's Encrypt and ZeroSSL both support free wildcard certificates via DNS-01 ACME validation. Buypass Go SSL does not currently issue wildcard certificates. Cloudflare Universal SSL covers the apex and one level of subdomain by default, with Advanced Certificate Manager required for deeper wildcards.

Q: How long do free SSL certificates last?

Let's Encrypt and ZeroSSL free certificates last 90 days. Buypass Go SSL issues 180-day certificates. Cloudflare Universal SSL is auto-renewed by Cloudflare, typically every 90 days. All of them are designed for automated renewal via ACME or the platform itself.

Let's Encrypt, ZeroSSL, Buypass Go SSL and Cloudflare Universal SSL — side by side. Same browser padlock, same encryption, different trade-offs. Pick the right one, then monitor it for free.

See comparison table Monitor any free cert

Independent comparison • Not affiliated with Let's Encrypt, ZeroSSL, Buypass or Cloudflare

What is the best free SSL certificate?

For most websites, Let's Encrypt is the best free SSL certificate. It is free, trusted by every browser, supports wildcards via DNS-01, and is issued automatically by certbot, Caddy, Traefik and almost every hosting platform. Pick Cloudflare Universal SSL instead if your domain is already proxied through Cloudflare (zero setup), ZeroSSL if you want a friendly web UI, or Google Trust Services if you need a second free ACME issuer for redundancy. Squarespace, Wix and Shopify users already get a free SSL certificate provisioned automatically on their custom domain — nothing to install.

Certimon is not a CA. We monitor any of these free certificates and Telegram-ping you before they expire, free.

The short answer

For 95% of websites, Let's Encrypt via your hosting provider or certbot is the right default. It's free, automated, trusted everywhere, and supports wildcards.

Pick ZeroSSL if you want a friendlier web UI and one-year paid options on the side. Pick Cloudflare Universal SSL if your site is already proxied through Cloudflare — you get free SSL with zero setup. Buypass Go SSL is no longer available (discontinued October 2025) — see the alternatives guide if you used it.

Whichever you choose, the real failure mode is the same: auto-renewal silently breaks and the certificate expires. That is the gap Certimon fills with free Telegram reminders.

Free SSL providers at a glance

Domain Validation only. All four are trusted in every modern browser. Always confirm current limits with the provider — rate limits and policies change.

Provider	Lifetime	Wildcard	ACME	Best for
Let's Encrypt	90 days	Yes (DNS-01)	Yes — fully automated	Default choice for almost everyone
ZeroSSL	90 days (free)	Yes (DNS validation)	Yes (with EAB credentials)	Friendly web UI, optional 1-year paid tier
Buypass Go SSL (discontinued Oct 2025)	180 days	No	Yes (ACME) — no new issuance	Existing certs only — see migration guide
Cloudflare Universal SSL	Auto-managed (~90 days)	Apex + 1 level by default	Not needed — handled by Cloudflare	Sites already proxied through Cloudflare
Google Trust Services	90 days	Yes	Yes (with EAB)	Google Cloud customers, ACME redundancy

All providers issue DV (Domain Validation) certificates only. For OV/EV you still need a paid CA.

The four free SSL providers in detail

1. Let's Encrypt

The non-profit CA that made free SSL the norm. Issues 90-day DV certificates over the ACME protocol. Supported by virtually every hosting platform (Vercel, Netlify, Render, Fly, cPanel, Plesk, Caddy, Traefik) and the standard certbot client.

• Pros: Universal client support, wildcard via DNS-01, generous rate limits for most sites, true non-profit governance.
• Cons: 90-day lifetime means more frequent renewals; no expiration emails since June 2025; rate limits can bite at large CDN/hosting scale.
• Use it when: You want the default, the most-tested path, and the broadest tooling.

2. ZeroSSL

Operated by IdenTrust (parent of Sectigo). Offers free 90-day DV certs through both a click-through web UI and ACME with External Account Binding (EAB). Paid tiers add 1-year DV and multi-domain options.

• Pros: Web dashboard for non-technical users, REST API, supports wildcard, optional paid tiers without changing CA.
• Cons: ACME requires EAB setup (extra step), free tier capped on issuance volume, dashboard pushes you toward paid plans.
• Use it when: You don't want to install certbot, or you need a friendly UI for occasional manual issuance.

3. Buypass Go SSL (discontinued October 2025)

A Norwegian CA that issued free 180-day DV certificates over ACME. Buypass stopped selling TLS/SSL certificates on October 16, 2025 — no new orders, renewals or replacements. Existing certs remain valid until expiry.

• Migration: move existing customers to Let's Encrypt (default), ZeroSSL or Google Trust Services. See the Buypass Go SSL discontinuation and alternatives guide.
• If you still have Buypass certs in production: set up an independent expiry monitor before the renewal job dies. A Certimon /remind alert covers it for free.

4. Cloudflare Universal SSL

Not a CA you talk to directly — Cloudflare provisions and renews a free DV certificate for any domain you proxy through them. Issued from Google Trust Services / Let's Encrypt under the hood. Zero setup beyond pointing your DNS at Cloudflare.

• Pros: Truly zero-config, auto-renewed, includes edge TLS termination, works for unlimited domains on the free plan.
• Cons: Only covers the apex and one subdomain level by default (deeper wildcards need Advanced Certificate Manager, paid); your traffic must go through Cloudflare's proxy; opaque visibility into the underlying CA.
• Use it when: You're already on Cloudflare or want the simplest possible HTTPS setup.

How to choose

• Just need HTTPS, no opinions? Use whatever your hosting platform issues — it's almost certainly Let's Encrypt or Cloudflare. Done.
• Self-hosting on a VPS? Install certbot or Caddy and use Let's Encrypt. The tooling is the deepest there.
• Were you using Buypass Go SSL? Buypass discontinued it in October 2025 — see the Buypass Go SSL alternatives guide to migrate.
• Want a UI, not a CLI? ZeroSSL's dashboard is the friendliest of the four.
• Already on Cloudflare? Universal SSL is on by default — you don't need to do anything.
• Need wildcard? Let's Encrypt or ZeroSSL via DNS-01. Buypass doesn't issue wildcards.
• Need OV/EV identity-validated certs? None of these. You need a paid CA — see our paid vs free SSL comparison.

The hidden cost of free SSL: silent expiry

Free certificates are designed for automated renewal — but auto-renewal fails more often than people admit. DNS records change, port 80 gets firewalled, the cron job stops running after a server reboot, an ACME challenge breaks because you added a redirect. The cert quietly hits its last day and your site starts throwing browser warnings.

Let's Encrypt stopped sending expiration emails in June 2025, removing the safety net many teams unknowingly relied on. ZeroSSL, Buypass and Cloudflare don't reliably alert you either.

Certimon is a free, independent watcher: it checks any public HTTPS endpoint and Telegram-pings you before the certificate expires. CA-agnostic — works for every provider on this page.

Set up a free 30-day expiry reminder

1. Open @CertimonBot on Telegram.
2. Send /remind example.com 30
3. You'll get a Telegram message 30 days before that domain's certificate expires — Let's Encrypt, ZeroSSL, Buypass, Cloudflare or any other CA.

FAQ

What is the cheapest SSL certificate in the UK?

For UK websites the cheapest SSL certificate is free. Let's Encrypt, ZeroSSL, Google Trust Services and most UK hosts (Cloudflare, Fasthosts, IONOS, Krystal, 34SP, TSOHost, Squarespace) include a free DV certificate with no per-domain fee — valid on .co.uk, .uk and .org.uk the same as any other TLD. If procurement requires a paid invoice, NameCheap UK, 123-Reg and GoDaddy UK quote DV certificates from around £5 to £40 per year ex-VAT.

Does Squarespace include a free SSL certificate?

Yes. Every Squarespace site gets a free SSL certificate automatically on the custom domain — no purchase, no upload, no certbot. Squarespace provisions and renews it for you (Let's Encrypt under the hood). Wix, Shopify, Webflow and Cloudflare Pages do the same. If you are on one of these platforms you are already covered; you only need to install your own free certificate when you self-host.

Who provides free SSL certificates?

Let's Encrypt, ZeroSSL, Buypass Go SSL and Google Trust Services all issue free Domain Validation certificates trusted by every major browser. Cloudflare also provides free Universal SSL for any domain proxied through Cloudflare.

Is a free SSL certificate as secure as a paid one?

Yes. Free DV certificates use the same TLS encryption and the same browser trust roots as paid DV certificates. The differences are validation level (DV vs OV vs EV), warranty and support — not cryptographic strength.

Which free SSL provider supports wildcard certificates?

Let's Encrypt and ZeroSSL both issue free wildcard certificates via DNS-01 ACME validation. Buypass Go SSL doesn't issue wildcards. Cloudflare Universal SSL covers the apex plus one subdomain level; deeper wildcards require Advanced Certificate Manager (paid).

How long do free SSL certificates last?

Let's Encrypt and ZeroSSL: 90 days. Buypass Go SSL: 180 days. Cloudflare Universal SSL: auto-renewed (typically every 90 days). All are designed for automated renewal.

How do I monitor a free SSL certificate so it doesn't silently expire?

Auto-renewal can fail silently when DNS, ports or configs drift. A separate alerting path is the safety net. Send /remind example.com 30 to @CertimonBot for a Telegram alert 30 days before expiry — works for any CA.

Pick a free SSL. Then make sure it never silently expires.

Let's Encrypt, ZeroSSL, Buypass, Cloudflare — all free, all auto-renewed, all capable of failing quietly. Certimon Telegram alerts catch the renewals that don't happen.

Start free SSL monitoring