SSL Certificate Renewal Reminder: Prevent the Browser Warning That Kills Trust
An SSL certificate renewal reminder prevents one of the most damaging and completely preventable technical failures: the expired-certificate browser warning that turns every visitor away. "Your connection is not private" is not a subtle error. It fills the screen. It implies the site is dangerous. It kills conversion rates, search rankings, and user trust in minutes — and it persists until someone renews the certificate. A simple 30-day reminder prevents all of it.
The Hidden Cost of an Expired SSL Certificate
The browser warning is the visible damage. The less obvious costs accumulate beneath it:
Traffic drops immediately. Chrome's full-screen interstitial warning has a bypass option, but fewer than 5% of non-technical users click through it. Bounce rate spikes to near 100%.
Search rankings fall. Google has used HTTPS as a ranking signal since 2014. An expired certificate effectively removes the HTTPS signal and may trigger additional quality penalties.
API integrations break. Any service that calls your API or webhook endpoint and validates SSL will immediately fail with a certificate error. Payment processors, CRMs, and analytics tools all validate certificates.
PCI compliance lapses. For e-commerce sites that handle payment data, an expired SSL certificate creates an immediate PCI DSS compliance violation.
The WHOIS-registered email may be wrong. Your certificate authority (CA) sends expiry reminders to the domain's administrative email, which may be an old address, a shared mailbox no one checks, or a former employee's inbox.
In 2020, Microsoft Teams went down for hours when an authentication certificate expired and wasn't renewed. In 2021, Spotify experienced a certificate-related outage. Certificate expiration is not an edge case — it's a recurring failure mode at every scale of organization.
SSL Certificate Types and Renewal Timelines
| Certificate type | Validity | Renewal approach |
|---|---|---|
| Let's Encrypt (free) | 90 days | Auto-renew via certbot (cron/systemd) |
| Domain Validation (DV) paid | 1 year | Manual or auto-renew via CA dashboard |
| Organization Validation (OV) | 1 year | Manual — requires org verification |
| Extended Validation (EV) | 1 year | Manual — requires 3–5 day vetting |
| Wildcard certificate | 1 year | Manual or managed |
| CDN-managed (Cloudflare, etc.) | Auto | Managed by CDN, verify in dashboard |
Try These SSL Certificate Renewal Reminders
Text me on the 1st of every month to check the SSL Labs report for all production domains and confirm certificates have 60+ days remaining.
Type any of these into YouGot for developers and the reminder fires via SMS, WhatsApp, email, or push at the specified time.
Setting Up SSL Certificate Renewal Reminders
Step 1: Find your current certificate expiration dates
Run this command for each domain:
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
Or check via the browser: click the padlock icon in Chrome → Certificate → Expiration date.
For batch monitoring, SSL Labs (ssllabs.com/ssltest/) shows the expiry date clearly.
Step 2: Set a 30-day reminder for each certificate
"Remind me on [expiry date minus 30 days] that the SSL cert for [domain] expires in 30 days. Renew via [certbot/CA dashboard/hosting panel]."
Step 3: Set a 7-day safety net
"Remind me on [expiry date minus 7 days] that the SSL cert for [domain] expires in 7 days — confirm renewal completed."
Step 4: For Let's Encrypt, add a quarterly certbot audit
"Remind me on the 1st of every month to SSH into [server name] and run sudo certbot renew --dry-run to verify auto-renewal is working."
Why Auto-Renewal Isn't Enough (And How to Verify It)
Let's Encrypt auto-renewal via certbot is usually reliable — until it isn't. Failure modes:
- Cron job silently fails after an OS update changes the cron syntax
- Port 80 blocked by a firewall rule someone added for security
- Certbot version becomes outdated and the ACME protocol handshake fails
- Domain's DNS changed and the ACME HTTP-01 challenge can't validate
- Server disk full, certbot can't write the new certificate
None of these produce obvious error messages in real-time. The failure only becomes visible when the certificate expires and the browser warning appears.
Verify certbot is working by running sudo certbot renew --dry-run monthly. Set that as a recurring reminder:
SSL Monitoring Tools + YouGot Reminders: The Right Combination
Paid SSL monitoring services (UptimeRobot, Freshping, StatusCake) send automated alerts when certificates reach a threshold (30 days, 14 days, 7 days remaining). These are excellent — when they work.
YouGot complements these tools as a manual backup and human action reminder. When the automated alert fires, it tells you something is happening. A YouGot reminder tells you specifically what to do and by when.
For small teams or solo developers, a YouGot SMS reminder is the simpler solution: no monitoring service subscription, no dashboard to check, just a text that says "SSL cert for api.myapp.com expires May 15 — renew today."
See the related domain renewal reminder post for the same approach applied to domain registrations.
Managing SSL Certificates for Multiple Projects
Developers and agencies managing multiple client sites often have certificates expiring across the calendar year with no unified tracking. A simple quarterly reminder to audit all certificates is more manageable:
For developers managing multiple projects, see YouGot's pricing for reminder volume limits on each plan.
Frequently Asked Questions
How do I get notified when my SSL certificate expires?
Set a reminder in YouGot 30 and 14 days before your SSL certificate expiration date: 'Remind me on [date] that the SSL certificate for [domain] expires in 30 days — renew or verify auto-renewal ran.' Check your certificate expiry date by running: echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates. Certificate transparency logs also track expiry, and services like SSL Labs provide expiry dates in their reports.
How long does an SSL certificate last?
As of September 2020, the maximum SSL/TLS certificate validity period is 398 days (approximately 13 months). Let's Encrypt certificates, which are free and widely used, expire after 90 days and require renewal every 60–90 days. Most managed hosting providers and CDNs handle Let's Encrypt renewal automatically. Paid certificates from DigiCert, Comodo, or Sectigo typically have 1-year validity periods and require manual renewal or auto-renewal configuration.
What happens when an SSL certificate expires?
When an SSL certificate expires, browsers display a full-screen warning: 'Your connection is not private' (Chrome) or 'Warning: Potential Security Risk Ahead' (Firefox). Most users immediately leave without proceeding. Search engines may demote pages with expired certificates. Any HTTPS requests will fail with a certificate error, breaking API calls, webhooks, and third-party integrations that validate SSL. E-commerce sites with expired certificates also violate PCI compliance.
Why doesn't Let's Encrypt auto-renew work reliably?
Let's Encrypt auto-renewal via certbot relies on a cron job or systemd timer running correctly on the server. Common failure modes: the cron job is misconfigured or accidentally deleted during a server update; the ACME challenge fails due to firewall rules, DNS changes, or server configuration changes; the certbot installation becomes outdated; or the renewal runs on a server that no longer serves the domain. Manual monitoring is essential even when auto-renewal is configured.
How many days before SSL certificate expiry should I renew?
Renew 30–60 days before expiration. Let's Encrypt recommends running its renewal process when 30 days remain. For manually renewed paid certificates, starting the process 30–45 days early gives enough time for domain validation, organizational validation (OV), or extended validation (EV) vetting — EV certificates can take 3–5 business days to issue. Never wait until the last week; if something goes wrong during renewal, you'll have no buffer before the expiration causes outages.
Never Forget What Matters
Set reminders in plain English (or any language). Get notified via push, SMS, WhatsApp, or email.
Try YouGot Free →Frequently Asked Questions
How do I get notified when my SSL certificate expires?▾
Set a reminder in YouGot 30 and 14 days before your SSL certificate expiration date: 'Remind me on [date] that the SSL certificate for [domain] expires in 30 days — renew or verify auto-renewal ran.' Check your certificate expiry date by running: echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates. Certificate transparency logs also track expiry, and services like SSL Labs provide expiry dates in their reports.
How long does an SSL certificate last?▾
As of September 2020, the maximum SSL/TLS certificate validity period is 398 days (approximately 13 months). Let's Encrypt certificates, which are free and widely used, expire after 90 days and require renewal every 60–90 days. Most managed hosting providers and CDNs handle Let's Encrypt renewal automatically. Paid certificates from DigiCert, Comodo, or Sectigo typically have 1-year validity periods and require manual renewal or auto-renewal configuration.
What happens when an SSL certificate expires?▾
When an SSL certificate expires, browsers display a full-screen warning: 'Your connection is not private' (Chrome) or 'Warning: Potential Security Risk Ahead' (Firefox). Most users immediately leave without proceeding. Search engines may demote pages with expired certificates. Any HTTPS requests will fail with a certificate error, breaking API calls, webhooks, and third-party integrations that validate SSL. E-commerce sites with expired certificates also violate PCI compliance.
Why doesn't Let's Encrypt auto-renew work reliably?▾
Let's Encrypt auto-renewal via certbot relies on a cron job or systemd timer running correctly on the server. Common failure modes: the cron job is misconfigured or accidentally deleted during a server update; the ACME challenge fails due to firewall rules, DNS changes, or server configuration changes; the certbot installation becomes outdated; or the renewal runs on a server that no longer serves the domain. Manual monitoring is essential even when auto-renewal is configured.
How many days before SSL certificate expiry should I renew?▾
Renew 30–60 days before expiration. Let's Encrypt recommends running its renewal process when 30 days remain. For manually renewed paid certificates, starting the process 30–45 days early gives enough time for domain validation, organizational validation (OV), or extended validation (EV) vetting — EV certificates can take 3–5 business days to issue. Never wait until the last week; if something goes wrong during renewal, you'll have no buffer before the expiration causes outages.