Let's Encrypt has done more for HTTPS adoption than any other single initiative. Free certificates, a standardized ACME protocol, and clients like certbot and acme.sh mean that certificate management is largely a solved problem for most teams. Set it up once, let it run, and forget about it.
The problem with "set it and forget it" is that forgetting about it also means not noticing when it stops working.
How Automated Renewal Works
Certbot and other ACME clients typically run on a timer (usually twice daily via a cron job or systemd unit) and renew any certificate within roughly 30 days of expiry. For a standard 90-day Let's Encrypt certificate, that means renewal kicks off around day 60. If everything works, the certificate is silently refreshed and you never think about it again.
If renewal fails, the client usually logs an error and tries again at the next interval. Twice a day. Silently. Until your certificate expires and your site starts throwing browser security warnings to every visitor.
What Can Go Wrong
Renewal failures are more common than you'd expect:
- A server migration changes the document root or web server config, breaking the ACME HTTP-01 challenge
- A firewall rule is added that blocks inbound traffic on port 80, which ACME needs for domain validation
- A DNS change invalidates a DNS-01 challenge configuration
- A rate limit is hit (Let's Encrypt enforces per-domain limits)
- The certbot timer is quietly disabled during an OS update
- The certificate was issued for a domain that has since been removed from DNS
None of these will cause an alert on their own. You'll find out when the cert expires.
Setting the Right Alert Threshold
Certificate monitoring adds a safety net that sits between your automation and your users. The key is choosing an expiration threshold that's useful without being noisy.
For a 90-day Let's Encrypt certificate:
- Alert at 30 days: Too early. This fires during the normal renewal window, so you'd get alerts on healthy certificates that are about to be renewed automatically.
- Alert at 15 days: The right balance. At this point, the automatic renewal window has passed. Something has been failing for two weeks. You still have 15 days to diagnose and fix the problem before any user is affected.
15 days is enough time to investigate the failure, restore the renewal process, and verify the new certificate — even if the fix requires going through a support process or coordinating across teams.
Thresholds Are Changing
Certificate lifetimes are getting shorter. Let's Encrypt is already planning to move to 45-day certificates, with the transition beginning in 2027. At 45 days, certbot would attempt renewal around day 30, and a 15-day alert threshold would still give you a reasonable intervention window.
But the tighter the timeline, the less room for error. Monitoring becomes more important as certificate lifetimes shrink, not less.
The Two-Layer Approach
The right setup is automation plus monitoring, not one or the other:
- Automation (certbot, acme.sh, AWS ACM, Caddy) handles the routine work. Certificates are renewed well before they expire under normal conditions.
- Monitoring catches the cases where automation fails. You get an alert with enough lead time to fix the problem before anyone notices.
Generator Labs certificate monitoring tracks your certificate expiration dates and alerts you when a cert is approaching your configured threshold. If your automation is working, you'll never hear from it. If something goes wrong, you'll know before your users do.