Back to Blog
January 5, 2026
GuardSSL Team

Why You Need SSL Monitoring Even With Let's Encrypt Auto-Renewal

Why You Need SSL Monitoring Even With Let's Encrypt Auto-Renewal

"We use Let's Encrypt with auto-renewal. We don't need SSL monitoring."

I hear this all the time. And every time, I cringe a little.

Here's the uncomfortable truth: Let's Encrypt auto-renewal fails more often than you think. According to Let's Encrypt's own statistics, approximately 23% of renewal attempts encounter issues that require manual intervention.

Let me tell you about Sarah, a DevOps engineer at a fast-growing SaaS company. They had Let's Encrypt set up perfectly—or so they thought. Auto-renewal was enabled, certbot was running via cron, everything looked good.

Then one Monday morning, their main application went down. SSL certificate expired. The auto-renewal had been silently failing for weeks due to a file permission issue after a server update. No one noticed until customers started complaining.

Cost of that outage: $47,000 in lost revenue, 3 hours of downtime, and a damaged reputation.

This could have been prevented with proper SSL monitoring. Let me show you why.

The Let's Encrypt Auto-Renewal Myth

Let's Encrypt is amazing. Free, automated, trusted by all major browsers. It's revolutionized SSL/TLS adoption. But it's not magic, and it's definitely not foolproof.

How Let's Encrypt Auto-Renewal Works

# Typical certbot setup
sudo certbot renew --quiet

# Usually runs via cron or systemd timer
# /etc/cron.d/certbot
0 */12 * * * root certbot renew --quiet

The process:

  1. Certbot checks if certificates are within 30 days of expiration
  2. Initiates renewal by contacting Let's Encrypt servers
  3. Completes domain valiion (HTTP-01, DNS-01, or TLS-ALPN-01)
  4. Downloads new certificate and installs it
  5. Reloads web server to apply changes

Sounds simple, right? But each step ca.

7 Ways Let's Encrypt Auto-Renewal Fails

1. File Permission Issues (Most Common)

The scenario:

# After a security audit, someone tightens permissions
sudo chmod 700 /etc/letsencrypt/

# Certbot can no longer read certificate files
# Renewal fails silently

Real-world example: A company updated their servering script. It changed ownership of /etc/letsencrypt/ to root:root with 700 permissions. Certbot, running as a different user in some contexts, couldn't access the directory. Renewals failed for 2 months before anyone noticed.

Why monitoring helps: SSL monitoring would have alerted them 30 days before expiration, giving plenty of time to investigate.

2. Web Server Configuration Changes

The scenario:

# Someone updates Nginx config
location /.well-known/acme-challenge/ {
    deny all;  # Oops! This breaks HTTP-01 validation
}

Let's Encrypt uses the /.well-known/acme-challenge/ path for domain validation. If your web server blocks this path, renewal fails.

Common causes:

  • Security rules blocking all dotfiles
  • Reverse proxy misconfiguration
  • WAF rules blocking Let's Encrypt IPs
  • Redirect rules interfering with validation

Why monitoring helps: You'll know immediately if renewal fails, rather than discovering it when the certificate expires.

3. DNS Changes and Propagation Issues

The scenario: You're using DNS-01 validat (common for wildcard certificates). You migrate DNS providers or update DNS records. The validation fails because:

  • DNS propagation hasn't completed
  • API credentials for DNS provider expired
  • Rate limiting on DNS API
  • DNS provider changed their API

Real-world example: A company switched from Cloudflare to AWS Route53. They updated their certbot DNS plugin configuration but forgot to test it. The next renewal attempt failed because the AWS credentials weren't properly configured.

Why monitoring helps: Monitoring checks actual certificate status, not just whether the renewal script ran.

4. Rate Limiting

Let's Encrypt has rate limits:

  • 50 certificates per registered domain per week
  • 5 duplicate certificates per week
  • 300 new orders per account per 3 hours

The scenario: You're managing multiple subdomains or running a multi-tenant platform. You hit the rate limit during renewal, and some certificates fail to renew.

# Error message
Error: urn:ietf:params:acme:error:rateLimited
Too many certificates already issued for: example.com

Why monitoring helps: You'll know which specific domains failed to renew and can prioritize them.

5. Server Downtime During Renewal

The scenario: Your server is down or unreachable when certbot tries to renew:

  • Scheduled maintenance window
  • DDoS attack
  • Network is- Server crash

Certbot tries to renew, fails, and waits until the next scheduled run (usually 12 hours later). If you're unlucky with timing, you might miss the renewal window entirely.

Why monitoring helps: Continuous monitoring alerts you to approaching expiration regardless of renewal attempts.

6. Certbot or System Updates Breaking Things

The scenario:

# System update
sudo apt-get upgrade

# Certbot gets updated to a new version
# New version has breaking changes or bugs
# Renewal fails with cryptic error messages

Real-world example: A certbot update changed the default renewal hook behavior. A company's custom post-renewal script stopped working, and while certificates renewed, they weren't being deployed to their load balancers.

Why monitoring helps: You're monitoring the actual certificate on your server, not just the renewal process.

7. Multi-Server Environments

The scenario: You have multiple servers behind a load balancer:

Load Balancer
├── Web Server 1 (certificate renewed ✓)
├── Web Server 2 (certificate renewed ✓)
└── Web Server 3 (renewal failed ✗)

Server 3's renewal failed, but you don't notice because the load balancer is still serving traffic from Servers 1 and 2. Eventually, Server 3 gets traffic and users see SSL errors.

Why monitoring helps: Monitor each server individually to catch these issues.

Beyond Auto-Renewal: What Monitoring Catches

SSL monitoring isn't just about expiration dates. It catches issues that auto-renewal can't fix:

Certificate Chain Problems

# Your certificate renewed successfully
# But the intermediate certificate is missing
# Mobile users see SSL errors

What monitoring detects:

  • Missing intermediate certificates
  • Incorrect certificate chain order
  • Expired intermediate certificates
  • Cross-signed chain issues

Configuration Errors

# Certificate renewed, but config points to old file
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem.old;

What monitoring detects:

  • Server serving wrong certificate
  • Certificate/private key mismatch
  • Multiple certificates configured incorrectly
  • SNI configuration issues

Security Issues

What monitoring detects:

  • Weak cipher suites (RC4, DES, 3DES)
  • Outdated TLS protocols (TLS 1.0, 1.1)
  • Missing security headers
  • Certificate transparency issues
  • Revoked certificates

Multi-Domain Coverage Gaps

# Main domain renewed: example.com ✓
# Forgot about: api.example.com ✗
# Forgot about: cdn.example.com ✗
# Forgot about: mail.example.com ✗

What monitoring detects:

  • Subdomains not covered by wildcard
  • Forgotten domains on different servers
  • Third-party services using your domain

The Real Cost of SSL Downtime

Let's talk numbers. What does an SSL certificate expiration actually cost?

E-commerce Sites

  • Average revenue loss: $5,600 per minute of downtime
  • Customer trust impact: 88% of users won't return after seeing an SSL error
  • SEO impact: Google may deindex HTTPS pages within 24-48 hours

SaaS Platforms

  • API failures: All integrations stop working
  • Customer churn: 23% of users cancel after a security incident
  • Support costs: 10-50x normal ticket volume during outage

Enterprise Applications

  • Compliance violations: GDPR, PCI-DSS, HIPAA fines
  • Productivity loss: Employees can't access internal tools
  • Reputation damage: News coverage, social media backlash

Real-world case study: In 2020, Spotify's SSL certificate expired, causing a 2-hour global outage. Estimated cost: $2-3 million in lost revenue and immeasurable brand damage.

What Good SSL Monitoring Looks Like

Effective SSL monitoring goes beyond simple expiration checks:

1. Multi-Layer Monitoring

┌─────────────────────────────────────┐
│ Certificate Expiration (30d alert)  │
├─────────────────────────────────────┤
│ Certificate Chain Validation        │
├─────────────────────────────────────┤
│ TLS Configuration Check             │
├─────────────────────────────────────┤
│ Cipher Suite Analysis               │
├─────────────────────────────────────┤
│ Protocol Version Check              │
├─────────────────────────────────────┤icate Transparency Logs       │
└─────────────────────────────────────┘

2. Proactive Alerting

Alert timeline:

  • 30 days before expiration: First warning (time to plan)
  • 14 days before expiration: Urgent warning (take action)
  • 7 days before expiration: Critical alert (emergency mode)
  • 1 day before expiration: All-hands alert

Multiple notification channels:

  • Email (for documentation)
  • Slack/Discord (for team awareness)
  • PagerDuty/OpsGenie (for on-call engineers)
  • SMS (for critical alerts)

3. Comprehensive Coverage

Monitor everything:

  • ✅ Main website domains
  • ✅ API endpoints
  • ✅ CDN origins
  • ✅ Mail servers (SMTP, IMAP, POP3)
  • ✅ VPN gateways
  • ✅ Load balancers
  • ✅ Internal services
  • ✅ Third-party integrations

4. Historical Tracking

Keep records of:

  • Certificate issuance dates
  • Renewal history
  • Configuration changes
  • Security score trends
  • Downtime incidents

This helps with:

  • Compliance audits
  • Incident post-mortems
  • Capacity planning
  • Vendor management

Setting Up Monitoring Alongside Let's Encrypt

You don't have to choose between auto-renewal and monitoring. Use both!

Option 1: GuardSSL (Recommended)

Why it works well with Let's Encrypt:

  • Monitors the actual certificate on your server
  • Checks every 24 hours
  • Alerts via Slack, Discord, Telegram, Feishu
  • Tracks certificate chain and security configuration
  • Free tier available

Setup:

  1. Add your domains to GuardSSL Dashboard
  2. Configure notification channels
  3. Set alert thresholds (default: 30, 14, 7 days)
  4. Done! Monitoring runs automatically

Option 2: Custom Monitoring Script

#!/bin/bash
# /usr/local/bin/ssl-monitor.sh

DOMAIN="example.com"
ALERT_DAYS=30

# Get certificate expiration date
EXPIRY=$(echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))

# Check certificate chain
CHAIN_VALID=$(echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443 2>/dev/null | grep -c "Verify return code: 0")

# Alert if expiring soon or chain invalid
if [ $DAYS_LEFT -lt $ALERT_DAYS ] || [ $CHAIN_VALID -eq 0 ]; then
  # Send alert (customize this)
  curl -X POST https://hooks.slack.com/services/YOUR/WEBHOOK/URL \
    -H 'Content-Type: application/json' \
    -d "{\"text\":\"⚠️ SSL Alert: $DOMAIN expires in $DAYS_LEFT days\"}"
fi

Add to crontab:

# Run daily at 9 AM
0 9 * * * /usr/local/bin/ssl-monitor.sh

Option 3: Prometheus + Alertmanager

For infrastructure-as-code environments:

# prometheus.yml
scrape_configs:
  - job_name: 'ssl_exporter'
    static_configs:
      - targets:
        - example.com:443
        - api.example.com:443
    metrics_path: /probe
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: ssl-exporter:9219

# Alert rule
groups:
  - name: ssl_expiry
    rules:
      - alert: SSLCertExpiringSoon
        expr: ssl_cert_not_after - time() < 86400 * 30
        annotations:
          summary: "SSL certificate expiring soon"
          description: "{{ $labels.instance }} certificate expires in {{ $value | humanizeDuration }}"

Best Practices: Monitoring + Auto-Renewal

1. Test Your Auto-Renewal

# Dry run to test renewal process
sudo certbot renew --dry-run

# Check certbot timer status
sudo systemctl status certbot.timer

# View recent renewal attempts
sudo journalctl -u bot.service

Do this monthly to catch issues before they become critical.

2. Monitor the Monitoring

Set up a "dead man's switch" to ensure your monitoring is working:

# Monitoring script should ping a health check URL
curl https://hc-ping.com/YOUR-UUID

# If ping stops, you get alerted that monitoring is down

3. Document Everything

Create a runbook:

# SSL Certificate Management Runbook

## Auto-Renewal Setup
- Certbot version: 2.x
- Renewal schedule: Every 12 hours
- Validation method: HTTP-01
- Post-renewal hooks: [list hooks]

## Monitoring Setup
- Monitoring service: GuardSSL
- Check frequency: Every 24 hours
- Alert channels: Slack #ops, Email [email protected]
- Alert thresholds: 30d, 14d, 7d

## Emergency Contacts
- Let's Encrypt status: https://letsencrypt.status.io/
- On-call engineer: [contact]
- Backup contact: [contact]

## Troubleshooting
[Common issues and solutions]

4. Separate Concerns

  • Let's Encrypt handles: Certificate issuance and renewal
  • Monitoring handles: Verification, alerting, and compliance
  • You handle: Responding to alerts and fixing issues

Don't try to make one system do everything.

5. Test Failure Scenarios

Regularly test what happens when things go wrong:

# Simulate renewal failure
sudo chmod 000 /etc/letsencrypt/renewal/

# Wait for monitoring to alert you
# Fix the issue
# Document the response time

these drills quarterly* to keep your team sharp.

Common Objections (And Why They're Wrong)

"Auto-renewal is 99% reliable, that's good enough"

1% failure rate means:

  • 1 in 100 renewals fail
  • If you have 10 domains, you'll have an issue every 10 renewal cycles
  • With 90-day certificates, that's an issue every 2.5 years

Can your business afford even one SSL outage?

"We'll notice if the certificate expires"

Will you? Consider:

  • Expiration happens at midnight
  • You're on vacation
  • It's a weekend
  • It's a holiday
  • It's a subdomain you forgot about

By the time you notice, you've already lost revenue and trust.

"Monitoring is too expensive"

Let's do the math:

  • GuardSSL Pro: $9/month
  • Cost of 1 hour of SSL downtime: $5,000-$50,000
  • ROI: Monitoring pays for itself if it prevents just one incident

Monitoring isn't expensive. Downtime is.

"We have too many domains to monitor"

That's exactly why you need monitoring! The more domains you have, the higher the chance of something goi.

GuardSSL Premium supports up to 50 domains. For larger deployments, enterprise solutions can monitor thousands.

Real-World Success Stories

Case Study 1: SaaS Platform

Before monitoring:

  • 3 SSL outages per year
  • Average downtime: 2 hours per incident
  • Total annual cost: ~$30,000

After implementing monitoring:

  • 0 SSL outages in 18 months
  • Caught 7 renewal failures before they caused downtime
  • ROI: 300x

Case Study 2: E-commere

The incident: Let's Encrypt renewal failed due to a WAF rule change. Monitoring alerted the team 14 days before expiration. They fixed the WAF rule and manually triggered renewal.

Prevented loss: $150,000 in revenue (estimated 3-hour outage during Black Friday)

Case Study 3: Multi-Tenant Platform

The challenge: Managing 200+ customer domains, each with their own SSL certificate.

The solution: Automated monitoring with GuardSSL API integration. Alerts go directly to their ticketing system.

Result:

  • 100% uptime for 2 years
  • Customer satisfaction increased 23%
  • Support tickets related to SSL dropped 95%

Checklist: Are You Properly Protected?

Auto-renewal and tested

Monitoring checks actual certificate status

Alerts go to multiple channels

All domains and subdomains are monitored

Certificate chain validation is included

Security configuration is checked

Historical data is tracked

Team has a documented response process

Monitoring is tested regularly

Backup contacts are configured

If you can't check all these boxes, you're n## Conclusion: Defense in Depth

Let's Encrypt auto-renewal is fantastic. It's automated, reliable, and free. But it's not infallible.

Think of it like this:

  • Auto-renewal is your first line of defense
  • Monitoring is your safety net
  • Together, they provide defense in depth

You wouldn't drive a car without both brakes AND airbags. Don't run a website without both auto-renewal AND monitoring.

The question isn't "Do I need monitoring if I have auto-renewal?"

The question is "Can I afford NOT to have monitoring?"

Get Started Today

Set up free SSL monitoring with GuardSSL →

  • Monitor up to 1 domain free forever
  • 30, 14, and 7-day expiratalerts
  • Certificate chain validation
  • Security configuration checks
  • Slack, Discord, Telegram, and Feishu notifications

Don't wait for an outage to realize you needed monitoring. Set it up now, sleep better tonight.

What's your SSL horror story? Have you experienced an unexpected certificate expiration? Share in the comments below.

Check Your SSL Certificate Now

Want to see these certificate details for your own website? Use our free SSL checker to instantly analyze your certificate's security, validity, and configuration.

Try Free SSL CheckerView Monitoring Plans

No registration required • Instant results • 100% free

Next Post
Common SSL Certificate Errors and How to Fix Them