There are few faster ways to lose a visitor’s trust than a browser security warning. When a TLS (SSL) certificate expires, browsers don’t show a small notice — they show a full-page, red-letter “your connection is not private” wall. Most people turn around immediately.
On some domains it’s worse than a warning. .app and .dev are on the HSTS
preload list, which means HTTPS is mandatory: an expired certificate doesn’t
warn, it blocks the site entirely.
Why certificates lapse even with auto-renewal
Modern certificates (Let’s Encrypt and friends) are supposed to renew automatically. They usually do — until they don’t:
- the renewal cron job silently fails or the server is down during the window,
- a DNS or domain change breaks the validation challenge,
- a certificate was issued manually and nobody owns the calendar reminder,
- or the renewal works but the new certificate never gets deployed.
The common thread: the failure is quiet. You find out when a customer does.
The checklist
If you think a certificate is close to expiring:
- Check the actual expiry date. Don’t guess — look at the certificate. You can inspect any domain’s certificate, including the issuer and days remaining, with the SSL certificate checker.
- Confirm the renewed cert is actually served. A renewed certificate that’s sitting on disk but not loaded by the web server is still an outage waiting to happen. Re-check the live site, not the file.
- Verify the full chain. A missing intermediate certificate fails on some clients and not others — the trickiest kind of “it works on my machine.”
- Give yourself a buffer. Aim to renew with a couple of weeks to spare, so a failed attempt has room to retry.
Stop checking manually
The real fix isn’t a better checklist — it’s not having to run one. Domnr watches your certificates and warns you before they expire, alongside the domain’s renewal, DNS, and uptime, so the whole picture is in one place. No more finding out from a screenshot in a support ticket.