Question 1

What is SSL certificate monitoring?

Accepted Answer

SSL certificate monitoring is the continuous automated checking of a website's TLS certificate to verify it is valid, correctly installed, and not approaching expiration. A monitoring service fetches the certificate from your domain on a regular schedule (typically daily or every few hours), parses the expiry date and issuer, validates the full certificate chain against trusted root CAs, checks that the certificate covers the correct hostnames (SAN/wildcard match), and verifies supported TLS protocol versions. When any check fails or the expiry date approaches a configured threshold, the monitor sends an alert — usually via email, Telegram, Slack, or webhook. Independent SSL monitoring is essential because auto-renewal via ACME (Let's Encrypt) or commercial CAs can fail silently, and calendar reminders for manual renewal routinely get missed.

Question 2

How often should I check SSL certificates?

Accepted Answer

At least once per day. Most SSL monitoring services check every 4-24 hours because certificate state does not change often — what matters is reliable detection well in advance of expiry. Checking more often (hourly or per-minute) wastes resources without catching problems faster; checking less often (weekly) is dangerous because you may miss the narrow window between an auto-renewal failure and the old certificate expiring. Upsonar checks SSL certificates at least once daily on every plan and sends alerts at 30, 14, and 7 days before expiration so there is plenty of time to renew manually if automation fails.

Question 3

Why do SSL certificates expire?

Accepted Answer

SSL certificates expire by design to limit the impact of compromised keys and to force regular re-verification of domain ownership. Let's Encrypt, the largest certificate authority on the web, issues certificates with a 90-day lifetime and recommends renewing every 60 days. Commercial CAs like DigiCert, Sectigo, and GoDaddy issue certificates valid for 1 year (since 2020 — previously 2 years). The CA/Browser Forum has proposed reducing maximum certificate lifetime to 47 days by 2029, which will make automation and monitoring even more important than today.

Question 4

What happens when an SSL certificate expires?

Accepted Answer

When your SSL certificate expires, all modern browsers display a full-page security warning — Chrome shows "Your connection is not private" (NET::ERR_CERT_DATE_INVALID), Firefox shows "Warning: Potential Security Risk Ahead", Safari shows "This Connection Is Not Private". Most users will not click through. Your site becomes effectively unreachable to the general public. Additional consequences: search rankings drop because Google has used HTTPS as a ranking signal since August 2014 (source: Google Search Central blog); API integrations that validate certificates break immediately; email servers sharing the same certificate start rejecting mail; and third-party services that embed your site (widgets, OAuth, webhooks) begin failing.

Question 5

Does Google rank HTTPS sites higher than HTTP?

Accepted Answer

Yes. Google officially announced HTTPS as a lightweight ranking signal in August 2014 and has strengthened it since. Chrome has marked all non-HTTPS pages as 'Not Secure' since July 2018, and Google Search actively prefers HTTPS URLs when both HTTP and HTTPS versions of a page exist (the HTTPS version is chosen as canonical). A website with an expired or invalid certificate may be dropped from search results entirely — not because Google penalizes HTTP, but because Googlebot cannot safely crawl a site whose certificate fails validation.

Question 6

How far in advance does upsonar alert me?

Accepted Answer

Upsonar sends SSL expiry alerts at 30 days, 14 days, and 7 days before expiration by default — three separate alerts via every configured channel (email, Telegram, Slack webhook, etc.). Paid plans allow custom alert thresholds. This multi-stage approach gives teams plenty of time to renew the certificate manually, investigate auto-renewal failures, or coordinate with the infrastructure team. The 30-day lead time is important because troubleshooting a broken ACME setup or coordinating with a commercial CA can take days.

Question 7

Can auto-renewal fail?

Accepted Answer

Yes — auto-renewal fails more often than expected, and it usually fails silently. The most common causes: DNS changes that break the ACME HTTP-01 or DNS-01 challenge, firewall rules blocking inbound connections from the CA's validation servers, expired payment methods for paid certificates, server migrations that skip the renewal cron job, changes to the .well-known/acme-challenge directory during a site redesign, rate-limit caps on Let's Encrypt (5 duplicate certificates per week per account), and account key mismatches after restoring from backups. Because auto-renewal is automatic, teams rarely notice these failures until the old certificate is a few days from expiring. Independent monitoring is the only reliable safety net.

Question 8

Does upsonar check certificate chains?

Accepted Answer

Yes. Upsonar validates the complete certificate chain from your server certificate through any intermediate certificates to the root CA. Incomplete chain installation is a surprisingly common misconfiguration — the site appears to work fine in desktop Chrome (which fetches missing intermediates automatically) but fails in mobile Safari, older Android, API clients, and command-line tools like curl. Upsonar catches this mismatch on every check and alerts when the chain is broken.

Free SSL Certificate Monitoring

What is SSL certificate monitoring?

Why SSL Monitoring Matters

Browser Warnings

Silent Renewal Failures

30-Day Early Warning

How SSL Monitoring Works

What We Check

Check Your SSL Certificate Now

Related

Frequently Asked Questions

Never Miss an SSL Expiry Again