The SSL Expiry Time Bomb
An expired SSL certificate is one of the most preventable — and most embarrassing — outages a SaaS company can suffer. Modern browsers block access entirely with full-screen 'Your connection is not private' warnings that look terrifying to users. Mobile apps that pin certificates fail to connect at all. Webhook senders like Stripe and GitHub refuse to deliver events. Search engines penalize the domain. The fix is usually trivial — renew and redeploy — but the damage to brand and conversions can take weeks to recover.
Why Auto-Renewal Isn't Enough
Let's Encrypt, AWS Certificate Manager, Cloudflare, and your hosting provider all offer automatic renewal. They work most of the time. The problem is that 'most of the time' is the worst possible failure mode — you assume it's handled, you stop checking, and then it silently breaks.
DNS Validation Failures
ACME challenge validation requires your DNS provider's API to be reachable during renewal. If your DNS provider has even a brief API outage during the renewal window, the challenge fails. The cert expires 30-60 days later, and unless you have monitoring, you find out from a customer tweet.
Permission and Credential Changes
An IAM policy change, an API key rotation, or a cloud-account billing issue can silently break auto-renewal months before the cert actually expires. The renewal cron job fails silently. You won't know until 60-90 days later.
Wildcard Certificate Gaps
Auto-renewal for wildcard certs often requires DNS-01 validation, which is different from HTTP-01 for single-domain certs. The wildcard covers *.yourdomain.com but not *.api.yourdomain.com — and new subdomains may not be covered.
Provider Migration
You moved from Heroku to Vercel six months ago. The old auto-renewal cron is still running on someone's laptop, nobody updated the docs. The cert expires and the entire team rediscovers the old infrastructure during the outage.
Manually-Issued Certs
Any cert you issued by hand for a special case — a country-specific domain, a partner-integration domain, a webhook receiver behind a proxy — is not auto-renewed by anything. These are the most common silent expiries.
Setting Up SSL Monitoring
FourSight's SSL monitor checks your certificate's expiry date, chain validity, and configuration daily. You get alerts at 30, 14, and 7 days before expiry — plenty of time to investigate why auto-renewal hasn't fired, get human eyes on it, and fix the underlying issue without panic.
What to Monitor Beyond Expiry
Expiry is the most catastrophic SSL issue but not the only one. A complete SSL monitoring strategy covers configuration as well.
| Check | What It Catches | Severity |
|---|---|---|
| Days until expiry | Imminent expiration | Critical at < 14 days |
| Chain validity | Missing intermediate certs | Critical (breaks on some clients) |
| Hostname match | Wrong cert for domain | Critical |
| TLS version (1.2+) | Outdated TLS | Warning |
| Cipher suite strength | Weak crypto | Warning |
| HSTS header | Missing security header | Info |
| OCSP stapling | Slow validation | Info |
| Issuer trust | Cert from untrusted CA | Critical |
Monitoring a Commercial SaaS?
FourSight includes 25 commercial-safe monitors with multi-region validation.
Start Monitoring FreeCertificate Chain Validation
An incomplete certificate chain is the most common SSL gotcha after expiry. Your cert validates fine in Chrome on your laptop but fails on iOS Safari, Android default browsers, and many HTTP clients. The reason: desktop browsers cache intermediate certificates from previous sessions, while mobile and headless clients don't. Always serve the full chain. FourSight validates the entire chain on every check.
SSL Configuration Best Practices
Beyond expiry and chain, monitor your SSL configuration for security issues. Weak cipher suites and outdated TLS versions don't cause outages — but they create vulnerabilities and harm your SEO ranking. Google has used HTTPS as a ranking signal since 2014.
Target SSL configuration:
TLS versions: TLS 1.2 minimum, TLS 1.3 preferred
Cipher suites: AEAD ciphers only (AES-GCM, ChaCha20-Poly1305)
Key exchange: ECDHE with P-256 or X25519
Certificate: ECDSA P-256 (preferred) or RSA 2048+
HSTS: max-age=31536000; includeSubDomains; preload
OCSP stapling: Enabled
Verify your config with:
ssllabs.com (rating: A or A+)
testssl.sh (run weekly in CI)
Multi-Domain Monitoring Strategy
Most SaaS companies have more SSL certificates than they realize. Audit your entire surface area at least quarterly. A typical mid-stage SaaS has 8-15 distinct certificates spread across primary domain, www, API subdomain, app subdomain, webhook endpoint, status page, marketing site, docs site, and legacy redirects. Missing even one creates a silent expiry risk.
Related Reading
What to Do During an SSL Outage
If a cert expires anyway, time matters. Document the renewal steps for each cert in a runbook accessible from anywhere. For Let's Encrypt, manual renewal usually takes 5-10 minutes. While renewing, post on your status page immediately — the support volume during an SSL outage is enormous because every user is hitting a scary browser warning at the same time.