SSL Certificate Monitoring: Never Let Your HTTPS Expire Again
An expired SSL certificate breaks your site for every visitor and tanks your SEO. PoppaPing monitors your certificates and alerts you before they expire.
An expired SSL certificate is one of the most preventable outages — and one of the most damaging. When your cert expires, every visitor sees a full-page browser warning. Chrome shows "Your connection is not private." Firefox says "Warning: Potential Security Risk Ahead." Most users hit the back button immediately.
Your site is technically up. Your server is responding. But for your users, it's broken.
Why certificates expire silently
SSL certificates have a fixed lifetime — typically 90 days for Let's Encrypt or 1 year for commercial CAs. Most teams set up auto-renewal and forget about it. And auto-renewal works great, until it doesn't:
- DNS changes break the ACME challenge validation
- Server migrations leave the old certbot config behind
- Firewall rules block port 80 and the HTTP-01 challenge fails
- Permission changes prevent the renewal script from writing the new cert
- Certificate authority issues cause temporary renewal failures that become permanent if nobody notices
The renewal cron job runs, fails, maybe writes a log line that nobody reads, and 90 days later your cert expires at 2 AM on a Saturday.
How PoppaPing monitors your certificates
When you add an HTTPS monitor in PoppaPing, we automatically check the SSL certificate alongside the regular uptime checks. No extra configuration needed — if you're monitoring an HTTPS URL, certificate monitoring is included.
Here's what we track:
- Days until expiration — displayed on your monitor's detail page, color-coded: green (30+ days), yellow (7-30 days), red (under 7 days)
- Certificate issuer — who issued the cert (Let's Encrypt, DigiCert, Cloudflare, etc.)
- Expiration date — the exact date and time the certificate expires
- Expiry alerts — notifications sent through your configured alert channels as the expiration date approaches
When alerts fire
PoppaPing sends SSL certificate alerts at these thresholds:
| Days Remaining | Alert Level |
|---|---|
| 30 days | Warning — time to investigate if auto-renewal is working |
| 14 days | Warning — renewal should have happened by now |
| 7 days | Critical — immediate attention needed |
| 3 days | Critical — you're days away from an outage |
| 1 day | Critical — last chance |
| Expired | Emergency — your site is showing browser warnings right now |
Alerts go through your existing alert channels — email, Discord, Slack webhooks, Telegram, PagerDuty, OpsGenie, or SMS. No separate setup needed.
What to do when you get an alert
30-day alert: Check your auto-renewal setup. Run a dry-run renewal manually. If it succeeds, you're fine — the cert will renew before the next threshold. If it fails, fix the issue now while you have time.
14-day alert: Something is probably wrong with auto-renewal. Common fixes:
- Check if certbot (or your renewal tool) is still running:
systemctl status certbot.timer - Try a manual renewal:
certbot renew --dry-run - Check DNS records haven't changed if using DNS-01 challenge
- Verify port 80 is open if using HTTP-01 challenge
- Check file permissions on
/etc/letsencrypt/
7-day or less: Manual intervention time. If auto-renewal can't be fixed quickly, issue a new certificate manually. For Let's Encrypt: certbot certonly --standalone -d yourdomain.com. For other CAs, generate a new CSR and submit it through their portal.
Expired: The cert is already expired. Issue a new one immediately. If you're using a reverse proxy like nginx, you may need to restart it after installing the new cert: systemctl restart nginx.
SSL monitoring vs uptime monitoring
SSL certificate monitoring and uptime monitoring are complementary but different:
Uptime monitoring answers: "Is my site responding right now?"
SSL monitoring answers: "Will my site break in the near future?"
An HTTPS site with an expired certificate will often still return HTTP 200 to monitoring tools that ignore cert errors. Some HTTP clients skip certificate validation by default. This means your uptime dashboard might show 100% while every real user sees a security warning.
PoppaPing checks both simultaneously. Your HTTPS monitor verifies that the site is responding AND that the certificate is valid and not approaching expiry. One monitor, two layers of protection.
Common certificate setups and their risks
Let's Encrypt with certbot: 90-day certificates, auto-renewed via cron or systemd timer. Risk: renewal failures go unnoticed for up to 90 days. With monitoring, you catch failures at the 60-day mark (30 days remaining).
Cloudflare proxy: Cloudflare manages the edge certificate automatically. Risk: if you switch away from Cloudflare or change DNS, the origin server's cert may not be configured. Edge cert changes can also catch you off-guard.
Commercial CA (1-year certs): Longer validity means less frequent renewal, but also means the team that set it up might not be around when it expires. Annual calendar reminders get missed. Monitoring doesn't rely on anyone remembering.
Wildcard certificates: Cover *.yourdomain.com, usually renewed via DNS-01 challenge. Risk: DNS API credentials expire or API rate limits prevent renewal. Monitor your most important subdomain and the wildcard renewal covers everything.
The bottom line
SSL certificate expiry is a solved problem — if you monitor for it. Set up an HTTPS monitor, configure your alert channels, and never wake up to an expired certificate again.
Ready to stop guessing if your site is up?
PoppaPing monitors your sites from 10 regions on 4 continents. Get started free.
Start Monitoring Free