All guides
Guides

Domain and SSL Expiry Tracking: Never Let a Site Go Dark [2026]

Domain and SSL expiry are two separate countdowns that both kill your site. Here's a simple system to track both and never miss a renewal.

Lapsewise TeamJuly 11, 202613 min read
Domain and SSL Expiry Tracking: Never Let a Site Go Dark [2026]

One morning you open your laptop, type your own company's domain into the browser, and get a "This site can't be reached" error. You're not the first to know - your customers found out first, at 2 AM, when a monitoring alert somewhere fired. Your domain lapsed. The registrar sent notices to an email address that no longer exists, and auto-renewal failed because the card on file expired six months ago. You now have a 45-day grace window to pay a redemption fee of $150 or more to get it back - assuming a squatter hasn't picked it up first.

This is not a hypothetical. It happens to businesses of all sizes, and it's almost always preventable.

Domain expiry and SSL expiry: two separate countdowns

These are the two dates that can take your site offline, and they're often confused with each other. They're not the same thing, they're not managed by the same people, and they expire on completely different schedules.

Domain registration is your lease on the domain name itself - the right to have yourcompany.com point at your servers. It's managed through a domain registrar (GoDaddy, Namecheap, Cloudflare, One.com, and hundreds of others). Domains are typically registered in one-year or multi-year blocks, with an expiry date set at registration. When the lease runs out and isn't renewed, the domain stops resolving. Your site goes dark, your email stops working, and anyone who finds the lapsed domain in a search result hits a dead end.

SSL/TLS certificates are a different thing entirely. They prove to browsers that your site is who it claims to be and encrypt the connection. They're issued by a Certificate Authority (like Let's Encrypt, DigiCert, or Sectigo), not by your registrar. An expired SSL certificate doesn't take your domain offline - it causes browsers to show a security warning that blocks most visitors from proceeding. The practical result is the same: your site is effectively dead.

The two countdowns run independently. You could have a perfectly valid, renewed domain registration and a lapsed SSL certificate, and your site will still show a browser warning. You could have a freshly issued SSL certificate and a lapsed domain, and nobody can reach the site at all. Both need to be tracked, by whoever is responsible for each.

In most organizations, these are managed by different teams. The domain might be registered on the founder's personal card. The SSL certificate might be handled by a developer, or auto-issued by the hosting provider. When the question "who owns this?" has no clear answer, renewals fall through the gaps.

Why auto-renewal fails

Auto-renewal is the first thing people point to when asked about their domain or SSL renewal process. "It's set to auto-renew, we're fine." In practice, auto-renewal fails more often than people expect.

The catch Auto-renewal only works if all of the following are true at the same time: the payment card on file is valid and not expired, the billing email reaches someone who will act on any payment failure notice, the registrar or CA doesn't have a platform outage on renewal day, the ICANN administrative contact address is correct, and nobody has changed billing details since the last renewal. Every one of these can silently fail.

The most common failure mode is a card expiry. A domain renews every January. The card it's billed to expires in November. Nobody updates it because nothing is prompting them to - the domain renewal is eleven months away and invisible. Come January, the charge fails, the registrar sends a notice to a billing email that now reaches an inbox nobody monitors, and the countdown to deletion begins.

The second most common failure mode is old admin contact details. ICANN requires that domain registrant contact information - including the administrative email address - is accurate and accessible. When the person who originally registered the domain left the company, the email address often went with them. Renewal notices, ICANN verification requests, and payment failure alerts all vanish.

A third failure mode applies specifically to SSL certificates: the certificate was issued through a platform (a hosting provider, a CDN) that handled renewal automatically, but then something changed - the site moved to a different host, the integration broke, or the old platform stopped managing it. The site runs fine, the SSL still works, and nobody notices until it expires and the browser warning appears.

For a broader look at why renewal systems fail, see Why Renewal Reminders Fail.

The real cost of a lapsed domain

A lapsed domain isn't just an inconvenience. The consequences compound quickly.

Squatting. When a domain enters the pending-delete phase - roughly 75 days after expiry with no redemption - it becomes available for anyone to register. Automated drop-catching services monitor expired domains and grab high-value names within seconds of them becoming available. Once a squatter holds your domain, recovering it through UDRP arbitration starts at $1,500 for a single-panel case at WIPO and takes around 60-75 days - and that's if you have a clear trademark claim (source: wipo.int). A direct negotiated purchase from the squatter can run into the tens of thousands.

SEO damage. A domain that goes dark, even briefly, signals to search engines that the site is gone. If the squatter installs a spam page or a parked-domain page, your years of accumulated ranking authority can be used against you or simply discarded. Rebuilding that takes months.

Email blacklisting. If someone acquires your lapsed domain and uses it to send spam, your domain ends up on email blacklists. When you eventually recover the domain, outbound email from your address may be blocked by recipients' servers for months.

The financial cost of recovery scales fast. Redemption fees alone run $135-$200 at most major registrars - some charge up to $1,000. Add UDRP filing fees, lost revenue during downtime, developer time, and reputational damage, and what would have cost $15 to renew in time can cost tens of thousands to recover from. For a fuller look at what happens when things lapse, see 7 Things That Quietly Lapse and Cost You Money.

The SSL certificate cliff coming in 2029

There's a structural change happening to SSL management that makes tracking more important than ever. The CA/Browser Forum approved Ballot SC-081v3 in April 2025 - voted on unanimously by all four major browser vendors and 25 Certificate Authorities (source: cabforum.org) - which phases in shorter maximum certificate lifetimes:

  • From March 15, 2026: maximum SSL certificate lifetime drops to 200 days
  • From March 15, 2027: drops further to 100 days
  • By March 15, 2029: final cap of 47 days

If you're used to annual SSL renewals, you'll need to renew roughly every six weeks by 2029. Manual tracking becomes nearly impossible at that frequency, which is why the mandate is designed to force automation. But until your certificates are fully automated, each renewal is a moment where something can go wrong. Tracking the expiry date, and knowing when the certificate was last renewed, is the minimum to catch failures before visitors do. For more on SSL certificate management, see How to Track Certificate Expiry Dates.

A system that works

Awareness isn't enough. You need a repeatable process that doesn't depend on any one person's memory or inbox.

Step 1: Audit everything. List every domain your organization owns, including variations and defensive registrations. Then list every SSL certificate in use - check the main domain, subdomains, and any services hosted on separate domains. Note the registrar for each domain, the CA for each certificate, and who is the named billing/admin contact for each.

Step 2: Set reminders at 90, 60, and 30 days. One reminder is not enough. The 90-day mark is for checking that payment details are current. The 60-day mark is a confirmation that auto-renewal is configured correctly. The 30-day mark is the final warning - if anything hasn't been addressed, it gets addressed now.

Step 3: Assign a named owner. Every domain and every certificate needs one person whose name is next to it. "The team" doesn't get paged at 2 AM. A named person does.

Step 4: Verify auto-renewal details annually. Even if auto-renewal is on, set a calendar event once a year to check: Is the payment card valid for the next 12 months? Is the billing email monitored? Does the registrar still have the right contact details? This is the check that catches the silent failures before they become crises.

Track domain and SSL expiry in Lapsewise. Free to start, no card. Add the date once and get reminded before anything lapses.

Start tracking free

Where Lapsewise fits

Lapsewise is a general-purpose expiry and renewal tracker - but the Domains module is where it does something specific that saves real time.

When you add a domain record, you can type the domain name and Lapsewise will look up the registrar expiry date and the SSL certificate end date automatically. It contacts the registry directly via RDAP (the global whois protocol maintained by IANA), fetches the expiration event, and runs a TLS handshake against the live server to get the exact SSL end date and the certificate issuer. You get two dates with one lookup - the domain registration expiry and the SSL certificate expiry - and can add either as a record with a click.

That distinction matters because the two dates almost never match. Your domain might renew in March. Your SSL certificate might expire in September. You need to track both, and now you can do it from one place.

Lapsewise sends reminders before each expiry: email by default, with optional Slack and SMS for anything urgent. Each record has a named owner who gets the reminder. For agencies managing client domains, you can have all of them in a single workspace with module-level filtering, so you're not switching between a dozen registrar dashboards to get a picture of what's expiring when.

For more on managing digital infrastructure renewals, see What Happens When a Certificate Lapses and the domain management software page.

Common mistakes

Quick tip These are the mistakes that show up most often when a domain or SSL certificate lapses - and they're all avoidable with a small amount of process.
  • Using a personal email for domain registration. When that person leaves, all renewal notices disappear. Use a shared team inbox or a role-based address (domains@yourcompany.com) for all registrar contacts.
  • Treating SSL and domain renewal as one task. They're separate systems on separate timescales. Track them separately.
  • Registering all domains under one person's credit card. If that card expires or the person leaves, every domain registered to it is at risk.
  • Ignoring defensive registrations. Many organizations register yourcompany.com carefully and let yourcompany.net or yourcompany.co lapse, assuming nobody notices. Squatters notice.
  • Assuming Let's Encrypt handles everything. Let's Encrypt certificates auto-renew - until they don't. Server config changes, cron failures, and certificate authority outages can all break auto-renewal silently. Monitoring the actual certificate expiry date is still necessary.

See also Expiry Tracking 101 for the full picture of what date-driven renewals a business should be watching.

Frequently asked questions

What happens when a domain expires?

When a domain expires, most registrars enter a grace period of 0-45 days during which the original owner can renew at the standard price. After that comes a redemption period of roughly 30 days, during which renewal costs $135-$200 in fees (sometimes much more). After both windows close, the domain enters a pending-delete phase and is released for anyone to register. A squatter can claim it within seconds using automated drop-catching tools.

Can I recover a domain after it's been taken by a squatter?

Yes, but it's expensive and slow. UDRP arbitration through ICANN costs $750 to $3,000 and takes roughly 60 days. You need a registered trademark to have a strong case. If you don't have trademark protection or the squatter's use doesn't meet the bad-faith threshold, a direct purchase may be your only option - and the squatter sets the price.

Is SSL expiry the same as domain expiry?

No. They're separate systems with separate expiry dates, issued by different providers. Your domain registration is managed by your registrar. Your SSL/TLS certificate is issued by a Certificate Authority. Both can expire independently, and both cause site access problems when they do - a lapsed domain blocks access entirely, while an expired SSL certificate triggers a browser security warning that most visitors will refuse to proceed past.

How often will SSL certificates need to be renewed after 2026?

The CA/Browser Forum approved a phased reduction in maximum SSL certificate lifetimes. From March 2026, certificates can be issued for a maximum of 200 days. By March 2029, the maximum drops to 47 days. At 47-day lifetimes, manual renewal is impractical - automation or close manual tracking is required.

How many reminders should I set for a domain renewal?

Set reminders at 90 days, 60 days, and 30 days before expiry. Use the 90-day mark to verify payment details are current. The 60-day mark to confirm auto-renewal is configured. The 30-day mark as a hard deadline to act if anything hasn't been sorted. A single reminder close to the date often isn't enough - payment failures and admin issues take time to resolve.

Never let it lapse

Track every domain, SSL certificate, and hosting renewal in one place. Lapsewise warns you before any expiry slips. Free to start, no card.

Never let it lapse

Track every certificate, contract, grant, and license in one place. Lapsewise warns you before any renewal or expiry slips. Free to start, no card.