SSL expiry guide · 2026

SSL certificate expiry: how to prevent it in 2026

Q: Why do SSL certificates expire?

SSL certificates expire so that compromised keys cannot be used forever, so that domain ownership is re-verified, and so the certificate authority ecosystem can roll out new cryptography and revocation policies. Modern free certificates last 90 days; paid certificates typically last 12 months; the CA/Browser Forum is moving the industry toward 47-day certificates by 2029.

Q: How can I check when an SSL certificate expires?

Run openssl s_client -servername example.com -connect example.com:443 /dev/null | openssl x509 -noout -dates, click the browser padlock, or send /check example.com to @CertimonBot on Telegram for an instant readout of issuer, expiry date and days remaining.

Q: What happens when an SSL certificate expires?

Browsers show a full-screen NET::ERR_CERT_DATE_INVALID warning, mobile apps refuse to connect, webhooks and API integrations fail TLS handshakes, email and database clients reject the connection, and search engines downrank the domain. Customers usually report it on social media before your monitoring catches it.

Q: Why does Let's Encrypt auto-renewal silently fail?

The most common causes are HTTP-01 port 80 blocked by a new firewall rule or CDN, DNS-01 records that broke after a registrar change, certbot renew hooks that crash, the domain moved behind a proxy that strips the challenge path, expired ACME account keys, rate limits, and host migrations that left the renewal cron on the old server. A separate alert path catches all of these.

Q: How do I get reminded before an SSL certificate expires?

Certimon sends free SSL expiry reminders to Telegram, Microsoft Teams or PagerDuty. Open @CertimonBot on Telegram and send /remind example.com 30 to get an alert 30 days before any certificate expires. It works on Let's Encrypt, ZeroSSL, GoDaddy, Sectigo, DigiCert, Cloudflare-issued and any other publicly served HTTPS certificate.

Every SSL certificate expires. The only question is whether you find out 30 days early from a Telegram message, or 30 minutes late from a customer on Twitter. Here is the practical 2026 playbook, plus a 30-second free reminder you can set right now.

Set a free expiry reminder Read the guide

Works on Let's Encrypt, ZeroSSL, GoDaddy, Sectigo, DigiCert, Cloudflare and any HTTPS certificate.

The short version

• SSL certificates expire on a fixed date encoded in the certificate. There is no grace period.
• Free ACME certificates last 90 days. Paid DV / OV certificates typically last 12 months. The industry is moving toward 47-day lifetimes by 2029.
• Auto-renewal works most of the time, but it silently fails often enough that every production site needs a separate alert path.
• @CertimonBot on Telegram sends free reminders before any certificate expires. No account, no agents, 30 seconds to set up.

Why SSL certificates expire in the first place

A certificate is a signed statement from a CA that says "as of this date, this public key belongs to this domain". That statement has to expire for three reasons:

• Compromise containment. If a private key leaks, the damage window is bounded by the certificate's lifetime. Shorter lifetimes mean smaller blast radius.
• Re-verification. Domain ownership changes. A 12-month-old certificate may belong to a domain that was sold, dropped or hijacked. Expiry forces the CA to revalidate control.
• Cryptographic agility. When TLS 1.0 was deprecated, when SHA-1 was retired, when 1024-bit RSA was killed, expiring certificates gave the ecosystem a way to roll forward without breaking the web overnight.

The CA/Browser Forum voted in 2025 to ratchet maximum certificate lifetimes down from 398 days to 200 in 2026, 100 in 2027 and 47 in 2029. The trend is clear: certificates expire more often, and any team that depends on "I'll remember to renew it next year" is going to get caught.

Typical SSL certificate lifetimes in 2026

Most teams have a mix of these. Each row is a separate failure mode if nothing is watching it.

Certificate type	Lifetime	Renewed by	Failure mode
Let's Encrypt DV	90 days	certbot / Caddy / Traefik / platform	Hook crash, port 80 blocked, DNS broken
ZeroSSL DV (ACME)	90 days	ACME client	Same as above + rate limits
Cloudflare Universal SSL	~90 days, auto-rotated	Cloudflare	Origin cert behind Cloudflare expired separately
Hosting-bundled DV	90 days – 1 year	Your host	Plan downgrade, billing failure, domain detached
Paid DV (GoDaddy, NameCheap, Sectigo)	1 year	Manual (or vendor portal)	Renewal email missed, invoice unpaid
OV / EV (DigiCert, Sectigo, GlobalSign)	1 year	Manual	OV revalidation paperwork late
Internal CA / ACM Private CA	13 months – 10 years	Internal ops	Original owner left the team

Free ACME certs renew every 60 to 90 days. Paid certs renew once a year. Internal CAs are the longest fuse and the loudest explosion.

How to check when an SSL certificate expires

Four practical ways, in order of speed:

1. Telegram, 5 seconds

Open @CertimonBot and send /check example.com. You get issuer, alt names, expiry date and days remaining as a single message. No signup.

2. openssl on the command line

openssl s_client -servername example.com -connect example.com:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -dates -subject -issuer

Returns notBefore and notAfter dates. Works on Linux, macOS and WSL.

3. The browser padlock

Click the padlock, "Connection is secure", then "Certificate is valid". Fine for a spot-check; useless for 50 domains.

4. Programmatic check via curl

curl -v --silent https://example.com 2>&1 | grep -E "expire|subject:|issuer:"

Good for CI scripts. For a guided walkthrough see the check SSL certificate expiration date guide.

Why auto-renewal silently fails (and what to do about it)

Everyone learns this the hard way. Auto-renewal is great until the cron stops running. The most common silent failures we see across Certimon users:

• Port 80 blocked. A new firewall rule, a CDN switch, or a Cloudflare proxy mode change breaks the HTTP-01 challenge. Renewal fails for weeks, no one notices.
• DNS-01 records drift. The registrar changed API tokens, the DNS provider rotated credentials, the TXT record write fails. Wildcard certs in particular fail this way.
• certbot renew hooks crash. A post-renew script restarts nginx with a syntax error. The new cert is issued but never installed. Browsers keep serving the old one until it expires.
• Server migration left the cron behind. You moved the site to a new VPS, copied the certs over, and never installed certbot on the new box. The clock is now ticking.
• ACME account key rotated. Someone regenerated the account key and the new key has no orders authorized for that domain.
• Rate limits. Let's Encrypt's 50-certs-per-week-per-domain limit fires during a deploy storm. Renewals get backed off and quietly miss the window.
• Cloudflare origin cert. Universal SSL at the edge stays valid, but the 15-year origin cert behind it expired and your direct-to-origin health check now fails.
• Let's Encrypt expiration emails are gone. Let's Encrypt stopped sending expiration emails on June 4, 2025. The safety net most teams quietly relied on no longer exists.

The fix is not "more renewal automation". The fix is an independent alert path that does not share infrastructure with the renewal job. If the renewer is broken, you want the alert to still work.

A pragmatic 2026 expiry-prevention setup

For most teams, three layers are enough:

Automate renewal. Use certbot, Caddy, Traefik, cert-manager, or your platform's built-in ACME. Pick one and standardize. See the free SSL certificate providers comparison if you are still choosing a CA.
Test renewal in staging. Run certbot renew --dry-run in a cron weekly. Page on failure. This catches drift before the cert actually expires.
Set an independent expiry alert path. An external monitor that pulls the public certificate and pings a separate channel (Telegram, Microsoft Teams, PagerDuty). If your renewer is broken, you still get the warning. @CertimonBot does this for free.

Sysadmins with dozens of domains will want to read SSL monitoring for system administrators for the bulk-import pattern.

Set a 30-day SSL expiry reminder in 30 seconds

Certimon is a free SSL certificate monitoring service. It pulls the public certificate for any HTTPS domain, tracks expiry, and pings you on Telegram, Microsoft Teams or PagerDuty before it lapses. No account required for Telegram.

Three steps

1. Open @CertimonBot on Telegram.
2. Send /remind example.com 30
3. You get a Telegram message 30 days before that certificate expires. Works on every public certificate, free or paid.

Stack multiple windows: /remind example.com 60 and /remind example.com 7 give you a heads-up and a panic warning.

FAQ

Why do SSL certificates expire?

Three reasons: to bound the damage from compromised private keys, to force re-verification of domain ownership, and to let the ecosystem retire weak cryptography. The CA/Browser Forum is pushing maximum lifetimes down to 47 days by 2029.

How can I check when an SSL certificate expires?

Fastest: send /check example.com to @CertimonBot. From the terminal: openssl s_client -servername example.com -connect example.com:443 </dev/null | openssl x509 -noout -dates.

What happens when an SSL certificate expires?

Browsers show NET::ERR_CERT_DATE_INVALID, mobile apps refuse to connect, webhooks fail TLS, email clients reject the connection, and search rankings drop. Recovery is fast once a new cert is issued, but the trust damage is harder to undo.

Why does Let's Encrypt auto-renewal silently fail?

Port 80 blocked, DNS-01 credentials rotated, renew hooks crashing, server migration left the cron on the old box, ACME account keys regenerated, rate limits hit during a deploy storm. None of these throw a visible error until the cert actually expires.

Is monitoring really necessary if auto-renewal works?

Yes. Auto-renewal works until it doesn't, and the failure mode is silent. An independent alert path that does not share infrastructure with the renewer is what catches the day the renewer breaks.

How do I get reminded before an SSL certificate expires?

Send /remind example.com 30 to @CertimonBot on Telegram. Free, unlimited domains, no account.

Never get caught by SSL expiry again

Free Telegram reminders for any SSL certificate. Independent of your renewal job, so if the renewer breaks you still get warned. No account, no agents, no credit card.

Start free SSL monitoring on Telegram

Prefer email or a dashboard? Sign in to the Certimon web dashboard.