All renewal & expiry questions

Why does SSL certificate auto-renewal sometimes fail?

SSL certificate auto-renewal fails for a surprisingly small set of reasons that are all avoidable in advance. The most common: the credit card on file with the certificate authority or registrar has expired or been replaced, and nobody updated the billing details. Second most common: the renewal notification email goes to an address nobody checks -- a former sysadmin, a generic info@ inbox, a domain that itself has expired. Third: DNS propagation issues or a CAA DNS record that blocks the issuing authority from validating the domain at renewal time.

For Let's Encrypt and other ACME-based auto-renewing certificates, failure modes include the renewal bot not running (server rebooted, cron removed, container restarted) or a domain validation challenge failing because the .well-known path is blocked. The common thread: auto-renewal is a process that needs human oversight, not a guarantee. Monitoring the certificate's end date independently of the renewal mechanism is the only reliable safety net.

Monitor domain and SSL dates independently

Go deeper: Domain and SSL expiry tracking guide

Related questions