Can SSL certificate renewal be fully automated?

Yes for ACME-issued certificates (Let's Encrypt, ZeroSSL, Google Trust Services, Buypass). Use certbot, Caddy, Traefik, acme.sh, cert-manager for Kubernetes, or your hosting platform's built-in ACME client. Paid DV / OV / EV certificates from traditional CAs are mostly still manual, though some providers offer ACME endpoints for paid certificates too.

SSL renewal guide · 2026

SSL certificate renewal: the practical 2026 guide

Q: How often do you need to renew an SSL certificate?

Free ACME certificates from Let's Encrypt, ZeroSSL and Google Trust Services are renewed automatically every 60 to 90 days. Paid DV / OV / EV certificates from GoDaddy, Sectigo, DigiCert and others typically renew once a year. The CA/Browser Forum is reducing maximum lifetimes to 47 days by 2029, so renewal automation is becoming mandatory.

Q: How do I renew a Let's Encrypt certificate?

certbot renew renews all installed Let's Encrypt certificates that are within 30 days of expiry. On most Linux distributions, certbot installs a systemd timer or cron job that runs this command twice a day. Caddy, Traefik and cert-manager handle renewal automatically with no manual step. After renewal, reload the web server so it picks up the new certificate (certbot --deploy-hook handles this if you set it up).

Q: What happens if I do not renew an SSL certificate?

The certificate expires on its notAfter date. Browsers show a full-screen NET::ERR_CERT_DATE_INVALID warning, mobile apps refuse to connect, APIs and webhooks fail TLS handshakes, and search engines may downrank the domain. Renewal restores service immediately, but customer trust and SEO can take longer to recover.

Q: How do I renew a GoDaddy or Sectigo SSL certificate?

Paid certificates are renewed by logging into the CA portal, paying the renewal invoice, completing domain or organization validation again, downloading the new certificate bundle, and installing it on your server or load balancer. Most paid CAs email a renewal reminder 30 to 90 days before expiry, but those emails can be missed. An external monitor like Certimon catches the cases where the email is missed or the install step is forgotten.

Renew without thinking about it. Concrete commands for certbot, Caddy, Traefik and cert-manager, plus how manual renewal still works for paid CAs, and a free Telegram alert so the day automation breaks is the day you find out.

Alert me before renewal is due Jump to the commands

Works with Let's Encrypt, ZeroSSL, GoDaddy, Sectigo, DigiCert, Cloudflare and any HTTPS certificate.

The short version

• Free ACME certs (Let's Encrypt, ZeroSSL, Google Trust Services) renew automatically every 60 to 90 days. You should never manually renew one.
• Paid certs (GoDaddy, Sectigo, DigiCert) usually renew once a year via the CA portal. Some now support ACME for automation.
• Renewal automation hides its own failures. An independent expiry alert is the safety net — see SSL certificate expiry: how to prevent it for the full failure-mode list.
• @CertimonBot sends free Telegram reminders before any certificate expires, free or paid, automated or manual.

Method 1: Let's Encrypt with certbot

Standard on Ubuntu, Debian, RHEL and most VPS hosts. certbot installs a systemd timer (or cron) that runs certbot renew twice a day. The command is a no-op until a certificate is within 30 days of expiry.

# test that renewal will work, without actually renewing
sudo certbot renew --dry-run

# force a renewal now (only if you really need to)
sudo certbot renew --force-renewal

# list installed certs and their expiry
sudo certbot certificates

For nginx / Apache, set a deploy hook so the new cert is actually picked up:

# /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
#!/usr/bin/env bash
systemctl reload nginx

Common gotcha: certbot renews the cert successfully, but the deploy hook crashes silently and the web server keeps serving the old cert. The renewer reports success, the cert in the browser still expires. This is the single most common renewal failure mode.

Method 2: Caddy or Traefik (zero config)

Both Caddy and Traefik issue and renew Let's Encrypt certificates automatically with no certbot, no cron, no deploy hooks. If you start a new project in 2026, this is the lowest-effort option.

# Caddyfile — that's it.
example.com {
  reverse_proxy localhost:3000
}

Caddy obtains the cert on first request, renews it ~30 days before expiry, and reloads itself with the new cert. Traefik does the same with a few lines of YAML or labels on a Docker service.

Method 3: Kubernetes with cert-manager

In Kubernetes, cert-manager handles ACME issuance and renewal via Certificate resources. Renewal happens 30 days before expiry by default.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - example.com
    - www.example.com

Check renewal status with kubectl describe certificate example-com. Watch for stuck orders in the cert-manager namespace logs.

Method 4: Cloudflare and host-bundled certs

If your site is behind Cloudflare with the orange-cloud proxy on, Cloudflare Universal SSL handles edge renewal automatically. You do not have a cron to maintain.

Two gotchas:

• The origin cert. Cloudflare also issues a separate 15-year origin certificate for the connection between Cloudflare and your server. It expires too, just on a much longer fuse. The day it does, you will have forgotten it exists.
• "Full (strict)" mode. If your origin cert expires while you are in Full (strict) mode, Cloudflare throws Error 526. See Cloudflare Error 526 for the full diagnosis.

cPanel, Plesk, Vercel, Netlify, Render, Fly, Railway, Heroku and most managed hosts issue and renew Let's Encrypt certificates as part of their platform. No action needed, until the day the platform's renewal job breaks. Monitor the public cert anyway.

Method 5: Paid certificate manual renewal

Paid DV, OV and EV certificates from GoDaddy, Sectigo, DigiCert, GlobalSign, NameCheap and others mostly still renew through the CA portal once a year. The steps:

Log in to the CA portal, find the certificate, click renew.
Pay the renewal invoice. Renewal pricing is usually higher than the first-year promo.
Complete validation again. DV is automated (HTTP file, DNS TXT or email). OV and EV require company paperwork.
Generate or reuse a CSR on the server. Most teams reuse the existing private key on renewal; some rotate it.
Download the new certificate plus intermediate chain. Install on the server, reload nginx / Apache / load balancer.
Verify the new cert is actually being served (openssl s_client or /check example.com on Telegram).

Wondering whether to keep paying? See do you actually need to buy an SSL certificate in 2026? for the decision tree and a price comparison.

The honest truth about renewal automation

Automated renewal works ~95% of the time. The remaining 5% is responsible for almost every outage caused by an expired SSL certificate. Common ways automation hides its own failure:

• The renewer prints "Cert not yet due for renewal" for 11 months, then on month 12 it prints "Renewal failed" once and nothing watches the log.
• A deploy hook crashes after issuance. The new cert sits on disk; the web server keeps serving the old one.
• A server migration left the renewal cron on the old box. The new box runs nginx with the static cert files copied across, until they expire.
• Let's Encrypt stopped sending expiration emails in June 2025. The email safety net that caught a lot of these is gone.
• A paid cert renewal invoice bounced because the company card on file expired. The CA stops issuing. Nobody checks.

The fix is not more renewal automation. The fix is a second alert path that does not share infrastructure with the renewer. If the renewer is broken, the alert still fires.

A 2026 renewal-safe setup

Three layers, in order of importance:

Automate renewal. certbot, Caddy, Traefik, cert-manager, or your platform's ACME. Pick one per environment.
Test renewal weekly. Cron a certbot renew --dry-run (or the equivalent). Alert on failure.
External expiry alerting. Pull the public cert from outside your network and ping a separate channel when expiry is near. @CertimonBot does this for free on Telegram, Microsoft Teams or PagerDuty.

For teams running many domains: see SSL monitoring for system administrators for the bulk import pattern.

Set a renewal safety-net in 30 seconds

Certimon is a free SSL certificate monitoring service. It pulls the public certificate for any HTTPS hostname and pings you on Telegram (or Microsoft Teams or PagerDuty) before expiry — independently of your renewal automation.

1. Open @CertimonBot on Telegram.
2. Send /remind example.com 30
3. You get a message 30 days before expiry. Works on Let's Encrypt, GoDaddy, Sectigo, DigiCert, Cloudflare-issued certs, anything publicly served over HTTPS.

FAQ

How often do you need to renew an SSL certificate?

Free ACME certificates renew every 60 to 90 days, automatically. Paid DV / OV / EV certificates renew once a year. By 2029, the CA/Browser Forum is forcing all certificates down to a 47-day maximum, so even paid renewals will need automation.

How do I renew a Let's Encrypt certificate?

You usually don't. certbot, Caddy, Traefik or cert-manager handles it. On a stock Ubuntu / Debian box, the certbot package installs a systemd timer that runs certbot renew twice a day. Run certbot renew --dry-run to confirm renewal will succeed.

What happens if I do not renew an SSL certificate?

The certificate expires and browsers show NET::ERR_CERT_DATE_INVALID. Mobile apps refuse to connect. APIs fail TLS handshakes. SEO takes a hit. The fix is to renew and reload the web server; the trust damage is harder to undo.

How do I renew a GoDaddy or Sectigo SSL certificate?

Through the CA portal: pay the renewal invoice, complete validation, generate or reuse a CSR, download the new certificate bundle, install it on your server, reload the web server. The CA emails a reminder 30 to 90 days before expiry, but those emails can be missed — an external monitor catches the slip.

Can SSL renewal be fully automated?

Yes for ACME-issued certificates (Let's Encrypt, ZeroSSL, Google Trust Services, Buypass). Paid DV / OV / EV from traditional CAs is mostly still manual, though some CAs now offer ACME for paid certs too.

Does Cloudflare renew SSL certificates automatically?

Universal SSL at the edge renews automatically. The origin certificate (between Cloudflare and your server) is separate and also expires, just on a 15-year cycle. Monitor both.

Trust the automation. Verify with an alert.

Free Telegram, Microsoft Teams and PagerDuty alerts before any SSL certificate expires. Independent of your renewal job, so the day automation breaks is the day you find out.

Start free SSL monitoring on Telegram

Prefer a dashboard? Sign in to Certimon.