FourSight
    LoginSign up
    Reliability & Infrastructure

    SSL Certificate Expiry Monitoring

    Automate certificate renewal tracking so you never wake up to an expired cert blocking your customers.

    10 min readGuide

    The SSL Expiry Time Bomb

    An expired SSL certificate is one of the most preventable — and most embarrassing — outages a SaaS company can suffer. Modern browsers block access entirely with full-screen 'Your connection is not private' warnings that look terrifying to users. Mobile apps that pin certificates fail to connect at all. Webhook senders like Stripe and GitHub refuse to deliver events. Search engines penalize the domain. The fix is usually trivial — renew and redeploy — but the damage to brand and conversions can take weeks to recover.

    Why Auto-Renewal Isn't Enough

    Let's Encrypt, AWS Certificate Manager, Cloudflare, and your hosting provider all offer automatic renewal. They work most of the time. The problem is that 'most of the time' is the worst possible failure mode — you assume it's handled, you stop checking, and then it silently breaks.

    DNS Validation Failures

    ACME challenge validation requires your DNS provider's API to be reachable during renewal. If your DNS provider has even a brief API outage during the renewal window, the challenge fails. The cert expires 30-60 days later, and unless you have monitoring, you find out from a customer tweet.

    Permission and Credential Changes

    An IAM policy change, an API key rotation, or a cloud-account billing issue can silently break auto-renewal months before the cert actually expires. The renewal cron job fails silently. You won't know until 60-90 days later.

    Wildcard Certificate Gaps

    Auto-renewal for wildcard certs often requires DNS-01 validation, which is different from HTTP-01 for single-domain certs. The wildcard covers *.yourdomain.com but not *.api.yourdomain.com — and new subdomains may not be covered.

    Provider Migration

    You moved from Heroku to Vercel six months ago. The old auto-renewal cron is still running on someone's laptop, nobody updated the docs. The cert expires and the entire team rediscovers the old infrastructure during the outage.

    Manually-Issued Certs

    Any cert you issued by hand for a special case — a country-specific domain, a partner-integration domain, a webhook receiver behind a proxy — is not auto-renewed by anything. These are the most common silent expiries.

    Setting Up SSL Monitoring

    FourSight's SSL monitor checks your certificate's expiry date, chain validity, and configuration daily. You get alerts at 30, 14, and 7 days before expiry — plenty of time to investigate why auto-renewal hasn't fired, get human eyes on it, and fix the underlying issue without panic.

    💡 Monitor SSL on every domain and subdomain you operate, not just your primary one. Webhook endpoints, API subdomains, staging environments, and country-specific TLDs all need separate monitoring — they often use separate certificates with separate renewal mechanisms.

    What to Monitor Beyond Expiry

    Expiry is the most catastrophic SSL issue but not the only one. A complete SSL monitoring strategy covers configuration as well.

    Check What It Catches Severity
    Days until expiry Imminent expiration Critical at < 14 days
    Chain validity Missing intermediate certs Critical (breaks on some clients)
    Hostname match Wrong cert for domain Critical
    TLS version (1.2+) Outdated TLS Warning
    Cipher suite strength Weak crypto Warning
    HSTS header Missing security header Info
    OCSP stapling Slow validation Info
    Issuer trust Cert from untrusted CA Critical

    Monitoring a Commercial SaaS?

    FourSight includes 25 commercial-safe monitors with multi-region validation.

    Start Monitoring Free

    Certificate Chain Validation

    An incomplete certificate chain is the most common SSL gotcha after expiry. Your cert validates fine in Chrome on your laptop but fails on iOS Safari, Android default browsers, and many HTTP clients. The reason: desktop browsers cache intermediate certificates from previous sessions, while mobile and headless clients don't. Always serve the full chain. FourSight validates the entire chain on every check.

    SSL Configuration Best Practices

    Beyond expiry and chain, monitor your SSL configuration for security issues. Weak cipher suites and outdated TLS versions don't cause outages — but they create vulnerabilities and harm your SEO ranking. Google has used HTTPS as a ranking signal since 2014.

    Target SSL configuration:
    
    TLS versions:          TLS 1.2 minimum, TLS 1.3 preferred
    Cipher suites:         AEAD ciphers only (AES-GCM, ChaCha20-Poly1305)
    Key exchange:          ECDHE with P-256 or X25519
    Certificate:           ECDSA P-256 (preferred) or RSA 2048+
    HSTS:                  max-age=31536000; includeSubDomains; preload
    OCSP stapling:         Enabled
    
    Verify your config with:
      ssllabs.com (rating: A or A+)
      testssl.sh (run weekly in CI)

    Multi-Domain Monitoring Strategy

    Most SaaS companies have more SSL certificates than they realize. Audit your entire surface area at least quarterly. A typical mid-stage SaaS has 8-15 distinct certificates spread across primary domain, www, API subdomain, app subdomain, webhook endpoint, status page, marketing site, docs site, and legacy redirects. Missing even one creates a silent expiry risk.

    What to Do During an SSL Outage

    If a cert expires anyway, time matters. Document the renewal steps for each cert in a runbook accessible from anywhere. For Let's Encrypt, manual renewal usually takes 5-10 minutes. While renewing, post on your status page immediately — the support volume during an SSL outage is enormous because every user is hitting a scary browser warning at the same time.

    Frequently Asked Questions

    Protect Your SaaS Revenue

    Start monitoring in under 60 seconds.