SSL expiry guide · 2026

SSL certificate expiry: how to prevent it in 2026

Q: Why do SSL certificates expire?

SSL certificates expire so that compromised keys cannot be used forever, so that domain ownership is re-verified, and so the certificate authority ecosystem can roll out new cryptography and revocation policies. Modern free certificates last 90 days; paid certificates typically last 12 months; the CA/Browser Forum is moving the industry toward 47-day certificates by 2029.

Q: How can I check when an SSL certificate expires?

Run openssl s_client -servername example.com -connect example.com:443 /dev/null | openssl x509 -noout -dates, click the browser padlock, or send /check example.com to @CertimonBot on Telegram for an instant readout of issuer, expiry date and days remaining.

Q: What happens when an SSL certificate expires?

Browsers show a full-screen NET::ERR_CERT_DATE_INVALID warning, mobile apps refuse to connect, webhooks and API integrations fail TLS handshakes, email and database clients reject the connection, and search engines downrank the domain. Customers usually report it on social media before your monitoring catches it.

Q: Why does Let's Encrypt auto-renewal silently fail?

The most common causes are HTTP-01 port 80 blocked by a new firewall rule or CDN, DNS-01 records that broke after a registrar change, certbot renew hooks that crash, the domain moved behind a proxy that strips the challenge path, expired ACME account keys, rate limits, and host migrations that left the renewal cron on the old server. A separate alert path catches all of these.

Q: How do I get reminded before an SSL certificate expires?

Certimon sends free SSL expiry reminders to Telegram, Microsoft Teams or PagerDuty. Open @CertimonBot on Telegram and send /remind example.com 30 to get an alert 30 days before any certificate expires. It works on Let's Encrypt, ZeroSSL, GoDaddy, Sectigo, DigiCert, Cloudflare-issued and any other publicly served HTTPS certificate.

Q: What is the difference between domain monitoring and SSL monitoring?

Domain monitoring is the broader practice of watching the domains you own for any failure mode that breaks user access: DNS resolution, WHOIS registration expiry, blacklist status, and SSL certificate expiry. SSL monitoring is one slice of that: it specifically tracks the public TLS certificate served on port 443 and warns you before it expires or is replaced with a misissued one. Most teams need both, but SSL expiry is the failure mode that takes the site offline most often, so it is usually the first alert path to set up.

Q: Which alert channels does Certimon support for SSL expiry?

Certimon delivers SSL expiry alerts to Telegram (direct or group chat via @CertimonBot), Microsoft Teams (incoming webhook), PagerDuty (escalation policy), and any generic webhook URL (useful for Slack via an incoming webhook or for your own ticketing system). You can stack multiple channels per domain, for example a 30-day Telegram heads-up plus a 1-day PagerDuty page for revenue-critical hostnames.

Every SSL certificate expires. The only question is whether you find out 30 days early from a Telegram message, or 30 minutes late from a customer on Twitter. Here is the practical 2026 playbook, plus a 30-second free reminder you can set right now.

Set a free expiry reminder Read the guide

Works on Let's Encrypt, ZeroSSL, GoDaddy, Sectigo, DigiCert, Cloudflare and any HTTPS certificate.

The short version

• SSL certificates expire on a fixed date encoded in the certificate. There is no grace period.
• Free ACME certificates last 90 days. Paid DV / OV certificates typically last 12 months. The industry is moving toward 47-day lifetimes by 2029.
• Auto-renewal works most of the time, but it silently fails often enough that every production site needs a separate alert path.
• @CertimonBot on Telegram sends free reminders before any certificate expires. No account, no agents, 30 seconds to set up.

Why SSL certificates expire in the first place

A certificate is a signed statement from a CA that says "as of this date, this public key belongs to this domain". That statement has to expire for three reasons:

• Compromise containment. If a private key leaks, the damage window is bounded by the certificate's lifetime. Shorter lifetimes mean smaller blast radius.
• Re-verification. Domain ownership changes. A 12-month-old certificate may belong to a domain that was sold, dropped or hijacked. Expiry forces the CA to revalidate control.
• Cryptographic agility. When TLS 1.0 was deprecated, when SHA-1 was retired, when 1024-bit RSA was killed, expiring certificates gave the ecosystem a way to roll forward without breaking the web overnight.

The CA/Browser Forum voted in 2025 to ratchet maximum certificate lifetimes down from 398 days to 200 in 2026, 100 in 2027 and 47 in 2029. The trend is clear: certificates expire more often, and any team that depends on "I'll remember to renew it next year" is going to get caught.

Typical SSL certificate lifetimes in 2026

Most teams have a mix of these. Each row is a separate failure mode if nothing is watching it.

Certificate type	Lifetime	Renewed by	Failure mode
Let's Encrypt DV	90 days	certbot / Caddy / Traefik / platform	Hook crash, port 80 blocked, DNS broken
ZeroSSL DV (ACME)	90 days	ACME client	Same as above + rate limits
Cloudflare Universal SSL	~90 days, auto-rotated	Cloudflare	Origin cert behind Cloudflare expired separately
Hosting-bundled DV	90 days – 1 year	Your host	Plan downgrade, billing failure, domain detached
Paid DV (GoDaddy, NameCheap, Sectigo)	1 year	Manual (or vendor portal)	Renewal email missed, invoice unpaid
OV / EV (DigiCert, Sectigo, GlobalSign)	1 year	Manual	OV revalidation paperwork late
Internal CA / ACM Private CA	13 months – 10 years	Internal ops	Original owner left the team

Free ACME certs renew every 60 to 90 days. Paid certs renew once a year. Internal CAs are the longest fuse and the loudest explosion.

How to check when an SSL certificate expires

Four practical ways, in order of speed:

1. Telegram, 5 seconds

Open @CertimonBot and send /check example.com. You get issuer, alt names, expiry date and days remaining as a single message. No signup.

2. openssl on the command line

openssl s_client -servername example.com -connect example.com:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -dates -subject -issuer

Returns notBefore and notAfter dates. Works on Linux, macOS and WSL.

3. The browser padlock

Click the padlock, "Connection is secure", then "Certificate is valid". Fine for a spot-check; useless for 50 domains.

4. Programmatic check via curl

curl -v --silent https://example.com 2>&1 | grep -E "expire|subject:|issuer:"

Good for CI scripts. For a guided walkthrough see the check SSL certificate expiration date guide.

Why auto-renewal silently fails (and what to do about it)

Everyone learns this the hard way. Auto-renewal is great until the cron stops running. The most common silent failures we see across Certimon users:

• Port 80 blocked. A new firewall rule, a CDN switch, or a Cloudflare proxy mode change breaks the HTTP-01 challenge. Renewal fails for weeks, no one notices.
• DNS-01 records drift. The registrar changed API tokens, the DNS provider rotated credentials, the TXT record write fails. Wildcard certs in particular fail this way.
• certbot renew hooks crash. A post-renew script restarts nginx with a syntax error. The new cert is issued but never installed. Browsers keep serving the old one until it expires.
• Server migration left the cron behind. You moved the site to a new VPS, copied the certs over, and never installed certbot on the new box. The clock is now ticking.
• ACME account key rotated. Someone regenerated the account key and the new key has no orders authorized for that domain.
• Rate limits. Let's Encrypt's 50-certs-per-week-per-domain limit fires during a deploy storm. Renewals get backed off and quietly miss the window.
• Cloudflare origin cert. Universal SSL at the edge stays valid, but the 15-year origin cert behind it expired and your direct-to-origin health check now fails.
• Let's Encrypt expiration emails are gone. Let's Encrypt stopped sending expiration emails on June 4, 2025. The safety net most teams quietly relied on no longer exists.

The fix is not "more renewal automation". The fix is an independent alert path that does not share infrastructure with the renewal job. If the renewer is broken, you want the alert to still work.

Domain monitoring and SSL alerts: wire expiry warnings to the channel your team already uses

SSL expiry monitoring only works if the alert lands somewhere a human will actually see it. Domain monitoring that emails a shared inbox no one reads is not monitoring; it is paperwork. The point of pairing domain monitoring with SSL alerts is to push the warning into the channel the on-call rotation is already watching.

Certimon supports four alert channels for SSL expiry notifications. Pick one or stack them per domain:

• Telegram. Direct chat or group. Best for indie devs and small teams. Send /remind example.com 30 to @CertimonBot, or add the bot to a group so the whole on-call rotation sees the alert. See Telegram SSL certificate alerts.
• Microsoft Teams. Incoming webhook into a Teams channel. Best for IT teams already living in Teams. Setup at Microsoft Teams SSL certificate alerts.
• PagerDuty. Escalation policy for production-critical certs (payment domains, API hostnames, identity providers). Wake someone at 3am when there is a real outage risk. See PagerDuty SSL certificate alerts.
• Webhook (and Slack). POST JSON to any URL. Use it to forward into Slack via an incoming webhook, into your own ticketing system, or into a custom alerting pipeline. The payload includes hostname, issuer, expiry timestamp and days remaining.
• Email magic-link dashboard. For the people who do not want bots in their chat. Manage subscriptions and view upcoming expiries at app.certimon.com.

The right pattern for most teams: a 30-day Telegram or Teams alert for early warning (time to investigate the renewer), a 7-day alert in the same channel (time to fix manually), and a 1-day PagerDuty escalation only on revenue-critical domains. Stack reminder windows with /remind example.com 30, /remind example.com 7, /remind example.com 1.

Multi-domain teams should also read SSL monitoring for small teams for the group-chat pattern, or the SSL monitoring API if you want to bulk-import domains and pipe alerts into your own systems.

A pragmatic 2026 expiry-prevention setup

For most teams, three layers are enough:

Automate renewal. Use certbot, Caddy, Traefik, cert-manager, or your platform's built-in ACME. Pick one and standardize. See the free SSL certificate providers comparison if you are still choosing a CA.
Test renewal in staging. Run certbot renew --dry-run in a cron weekly. Page on failure. This catches drift before the cert actually expires.
Set an independent expiry alert path. An external monitor that pulls the public certificate and pings a separate channel (Telegram, Microsoft Teams, PagerDuty). If your renewer is broken, you still get the warning. @CertimonBot does this for free.

Sysadmins with dozens of domains will want to read SSL monitoring for system administrators for the bulk-import pattern.

Set a 30-day SSL expiry reminder in 30 seconds

Certimon is a free SSL certificate monitoring service. It pulls the public certificate for any HTTPS domain, tracks expiry, and pings you on Telegram, Microsoft Teams or PagerDuty before it lapses. No account required for Telegram.

Three steps

1. Open @CertimonBot on Telegram.
2. Send /remind example.com 30
3. You get a Telegram message 30 days before that certificate expires. Works on every public certificate, free or paid.

Stack multiple windows: /remind example.com 60 and /remind example.com 7 give you a heads-up and a panic warning.

FAQ

Why do SSL certificates expire?

Three reasons: to bound the damage from compromised private keys, to force re-verification of domain ownership, and to let the ecosystem retire weak cryptography. The CA/Browser Forum is pushing maximum lifetimes down to 47 days by 2029.

How can I check when an SSL certificate expires?

Fastest: send /check example.com to @CertimonBot. From the terminal: openssl s_client -servername example.com -connect example.com:443 </dev/null | openssl x509 -noout -dates.

What happens when an SSL certificate expires?

Browsers show NET::ERR_CERT_DATE_INVALID, mobile apps refuse to connect, webhooks fail TLS, email clients reject the connection, and search rankings drop. Recovery is fast once a new cert is issued, but the trust damage is harder to undo.

Why does Let's Encrypt auto-renewal silently fail?

Port 80 blocked, DNS-01 credentials rotated, renew hooks crashing, server migration left the cron on the old box, ACME account keys regenerated, rate limits hit during a deploy storm. None of these throw a visible error until the cert actually expires.

Is monitoring really necessary if auto-renewal works?

Yes. Auto-renewal works until it doesn't, and the failure mode is silent. An independent alert path that does not share infrastructure with the renewer is what catches the day the renewer breaks.

How do I get reminded before an SSL certificate expires?

Send /remind example.com 30 to @CertimonBot on Telegram. Free, unlimited domains, no account.

What is the difference between domain monitoring and SSL monitoring?

Domain monitoring is the broader practice of watching every domain you own for any failure mode that breaks user access: DNS resolution, WHOIS expiry, blacklist status, and SSL certificate expiry. SSL monitoring is one slice of that, focused specifically on the TLS certificate served on port 443. Most teams need both, but SSL expiry is the failure that takes the site offline most often, so it is usually the first alert path to set up.

Which alert channels does Certimon support for SSL expiry?

Telegram (direct or group chat via @CertimonBot), Microsoft Teams (incoming webhook), PagerDuty (escalation policy), and any generic webhook URL. The webhook channel covers Slack via an incoming webhook and any custom ticketing or alerting pipeline. Stack multiple channels per domain when it matters.

Never get caught by SSL expiry again

Free Telegram reminders for any SSL certificate. Independent of your renewal job, so if the renewer breaks you still get warned. No account, no agents, no credit card.

Start free SSL monitoring on Telegram

Prefer email or a dashboard? Sign in to the Certimon web dashboard.