Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Shipping securely on a budget

SSL certificate expiry monitoring: why the calendar reminder fails

July 18, 2026·5 min read
A calendar page fading into shadow — expiry dates arriving faster than a manual reminder can track.

Tracking certificate expiry in a calendar reminder worked when certificates lasted a year. It doesn't anymore — and the reason isn't that you're disorganised. The renewal you rely on runs in the background, and the window you're tracking is collapsing.

SSL expiry monitoring isn't about not knowing the date. It's about the two ways knowing the date still isn't enough.

Auto-renewal is a silent background job

"It renews automatically" is true right up until it doesn't. Renewal is a scheduled task — a certbot timer, a platform hook, an ACME client — and like any scheduled task it can fail without a sound: an expired API token, a DNS validation that breaks, a rate limit, a disabled service. When it does, nothing announces it. The certificate just quietly marches toward its expiry date with nothing renewing it.

The dangerous case isn't "I forgot the date." It's "the automation I trusted stopped working and didn't tell me." A reminder in your calendar doesn't catch that — it assumes the renewal happens.

The window is shrinking on purpose

Certificate lifetimes are being cut hard over the next few years, which multiplies how often renewal has to succeed:

398 → 200d
max lifetime drops in March 2026
100 days
the cap in 2027
47 days
the cap from March 2029
more often
every cut multiplies renewal attempts — and failure chances

At a 47-day lifetime, a certificate renews roughly every six weeks, all year. Manual tracking of that across even a few domains is hopeless, and a single silent renewal failure between reminders is an outage.

What real monitoring watches

Effective SSL monitoring doesn't trust your renewal — it independently checks the live certificate the browser actually sees, from outside your stack, and counts down the days remaining. If that number stops dropping because renewal worked, great. If it keeps dropping toward zero because renewal broke, you get warned with days to spare, not a red screen.

Want the one-off version first? Check the current expiry date on any domain in seconds:

free tool · no loginSSL expiry checkPaste a domain and see its exact certificate expiry date and days remaining. The one-off check; monitoring is the always-on version. No login.

Because the failure is a full outage

This matters more than most monitoring because an expired certificate isn't a degraded page — it's every visitor blocked at once by a browser warning. The whole point of monitoring the expiry is to make sure that known, avoidable, calendar-scheduled outage never actually happens.

Stop trusting the renewal. Start watching the certificate.

Join Tell Me When Down free and we'll check your live certificate from outside, every day, and email you days before it expires. Whether or not your auto-renewal is working, you'll know in time to fix it.

Monitor my certificatefree · no card required
more on shipping securely on a budget
The website launch security checklist nobody hands youYou get a deploy button, not a checklist — so most sites launch with the cert valid and nothing else checked. The four things to test from your URL in seconds, plus the code-side items that cost the most.Website down from an expired SSL certificateAn expired certificate is a full outage — every visitor hits a red warning, though the server's fine. Here's why auto-renewal still fails silently, why shrinking cert lifetimes make it likelier, and how to see it coming.My website says "Not Secure" — what it means and how to fix itThe "Not secure" label looks like a hack but usually isn't — it means your site isn't using HTTPS properly. Here's what the browser is really saying, and the common causes in plain language, fixed one by one.What are security headers? A plain-English guideSecurity headers tell the browser how to behave safely — refuse HTTP, block framing, don't guess file types. Here's what each of the ones that matter actually does, and why almost every new site ships without them.How to add security headers in Next.js (including CSP)Next.js sends no security headers by default. The static ones are a config block; the hard part is a CSP that helps without blocking your own scripts. Here's the nonce approach, the report-only trick, and the version caveat.Secure, HttpOnly, SameSite: the cookie flags that matterThree small flags — Secure, HttpOnly, SameSite — decide whether your session cookie is a locked token or the easiest thing to steal on your site. Here's what each closes, and how to check which your cookies set.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com