SSL Certificate Expiry: The Silent Killer of SaaS Trust

SSL certificate failures aren't caused by sophisticated attacks. They're caused by forgetting to check a date on a calendar. Here's why they keep happening and how to prevent them entirely.

In 2023, an SSL certificate at a major bank expired. Customers couldn't log in. Online banking was inaccessible for hours. The cause wasn't a sophisticated attack, an infrastructure failure, or a bad deploy. A certificate expired because someone forgot to renew it.

This happens to products of every size — including indie SaaS products that should know better.

The reason it keeps happening isn't negligence. It's that SSL certificate expiry is genuinely easy to miss. The certificate worked fine for 12 months. You set it up, you moved on, and then one Tuesday morning your users start seeing browser warnings and you have no idea why — because you didn't get an alert.

What happens when an SSL certificate expires

When a visitor's browser connects to your site, it checks the SSL certificate to verify it's communicating with a legitimate server. If the certificate is expired, the browser stops the connection and shows a warning: "Your connection is not private" or "This site's security certificate has expired."

In most browsers, users cannot proceed past this warning without clicking through multiple "I understand the risks" prompts. The overwhelming majority won't click through. They'll close the tab.

For a consumer SaaS product, an expired certificate is functionally equivalent to a complete outage. Users can't log in. They can't use the product. The only difference is that instead of seeing an error page, they see a security warning — which is arguably worse, because it erodes trust even after you fix it.

Why it keeps catching teams off guard

Certificate renewal feels like infrastructure, and infrastructure feels like something you set up once and forget about. That's the trap.

Most SSL certificates are issued with a validity period of 90 days (Let's Encrypt) or 1 year (commercial CAs). Many teams use automated renewal through Let's Encrypt and assume it will always work. It usually does — until it doesn't.

Automatic renewal fails more often than you'd expect:

DNS validation breaks. Let's Encrypt uses DNS challenges to verify domain ownership. If you changed DNS providers, rotated credentials, or modified DNS records, renewal silently fails.
The renewal cron job died. If you're running certbot renew on a cron schedule, server migrations, OS upgrades, and disk-full events have all been known to silently kill cron jobs.
CDN passthrough certificates aren't yours. If you're using Cloudflare in full proxy mode, the certificate your users see is Cloudflare's. But the certificate on your origin server can expire and cause backend connectivity failures you won't immediately understand.
Wildcard certificates are easy to miss. *.yourcompany.com certificates cover all subdomains but expire as a single entity. When they expire, every subdomain fails simultaneously.

The cost of an expired certificate

Beyond the immediate outage, there's a longer tail of damage:

Search ranking. Google factors HTTPS status into rankings. An extended certificate failure can result in lower search rankings even after you fix the issue.
Customer trust. Users who encounter a security warning don't just leave — they tell others. "I tried to log into [product] and got a scary security warning" circulates in Slack workspaces and forum threads.
Sales pipeline. If a prospect visits your site during a certificate failure, you've likely lost that lead. They'll assume you're either out of business or technically incompetent.
SLA violations. If you have enterprise customers with uptime SLAs, a certificate-related outage almost certainly counts against them.

How to monitor SSL certificate expiry

The solution is straightforward: automated monitoring that alerts you before your certificate expires, not after.

Good SSL monitoring watches two things:

Expiry date — how many days until the certificate expires
Certificate validity — is the certificate currently valid and trusted by standard CAs

You want alerts at meaningful thresholds: typically 30 days out (time to investigate), 14 days (time to act), and 7 days (something is wrong, fix it now).

PingBase includes SSL certificate expiry monitoring on all plans — including the free tier. When you add a monitor for an HTTPS URL, PingBase automatically tracks the certificate expiry date and alerts you at 30, 14, and 7 days before expiry. No configuration required.

This means the moment your auto-renewal fails silently, you get an email telling you your certificate expires in 29 days. Not a 2am incident. A calm, actionable alert while you have time to fix it.

Fixing an expired certificate

If you're reading this because your certificate has already expired:

Let's Encrypt (Certbot):

certbot renew --force-renewal
systemctl reload nginx  # or apache2

If renewal fails, check your DNS challenge setup with certbot renew --dry-run --debug.

Cloudflare (proxied domains): Go to Cloudflare Dashboard → SSL/TLS → Origin Server and create a new origin certificate.

Manual commercial certificate: Log into your certificate authority (DigiCert, Comodo, etc.), renew the certificate, download the new files, and replace the old ones on your server.

After replacing the certificate, verify it immediately by checking the certificate details in your browser's developer tools.

Prevention is 30 minutes of work

The permanent fix for SSL certificate anxiety is this combination:

Automate renewal correctly — use Certbot with the appropriate DNS plugin for your DNS provider, or use Cloudflare's automatic certificate management
Test your renewal process — run certbot renew --dry-run right now and confirm it succeeds
Add monitoring — set up SSL expiry monitoring so you get alerted before anything breaks

PingBase's free plan monitors SSL certificates for up to 5 URLs with expiry alerts at 30/14/7 days. It takes about 2 minutes to set up and requires no ongoing maintenance.

SSL certificate failures are embarrassing precisely because they're so preventable. They're not caused by novel attacks or complex infrastructure failures. They're caused by forgetting to look at a date on a calendar.

The bank that lost hours of online banking access in 2023 almost certainly had dozens of engineers, expensive infrastructure, and years of uptime to protect. It still happened, because nobody was watching the expiry date.

Don't be that bank.