SSL certificate renewal can fail silently. When one expires, browsers can block users before they ever reach your website. The fix is usually simple, but the impact is immediate and public.
Why SSL monitoring matters
Tools like Let's Encrypt automate certificate renewal, but automation is not the same as verification. Renewals can fail, certificates may not deploy correctly, and proxies or CDNs may continue serving an old certificate.
On June 4, 2025, Let's Encrypt stopped sending email alerts that a certificate will expire. That means teams no longer receive passive warnings and must actively monitor certificate status.
Method 1: Check SSL expiration from the command line
You can check a certificate’s expiration date directly using OpenSSL. This works on Linux and macOS.
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -datesThis returns the certificate validity window:
notBefore=Jan 1 00:00:00 2026 GMT
notAfter=Mar 31 23:59:59 2026 GMTThe "notAfter" value is the expiration date. This check reflects what users actually receive over HTTPS, not just what exists on your server.
Method 2: Or use curl for quick validation
For a fast check during debugging, curl will fail if the certificate is invalid:
curl -v https://example.comIf there is a certificate issue, curl will display it. This is useful for confirming problems, but not for proactive monitoring.
Common failure scenarios
- Auto-renewal failed silently
- Certificate renewed but not deployed
- Load balancer or CDN still serving old cert
- Wrong hostname or missing SAN entry
- Alerts sent to an unmonitored inbox
What good SSL monitoring looks like
- External checks
- Multiple warning thresholds (30, 14, 7, 3 days)
- Coverage of all domains and subdomains
- Alerts routed to a real owner
DIY monitoring isn't for everyone
Command-line checks require maintenance. Scripts break, cron jobs go forgotten, and alerts can get lost. As your number of domains grows, the overhead increases quickly.
A simpler approach
Instead of maintaining scripts, many teams use external monitoring like ServerVisor that continuously checks SSL certificates and sends alerts before expiration.
They don't just assume renewal works, they verify and remove the risk of silent failures.
SSL expiration is a preventable outage and easy to fix if notified early. The only requirement is noticing it in time.
ServerVisor Team
Final takeaway
Monitoring SSL expiration isn't complicated, but it's important. Whether you use scripts or a monitoring service, the goal is the same: verify from the outside, warn early, and don't let expiration surprise you.