SSL Certificate Expiry vs Let's Encrypt / Certbot
SSL Certificate Expiry and Certbot solve different problems. One issues free certificates. The other monitors them. Here's why you might need both.
This comparison is a little different because SSL Certificate Expiry and Let's Encrypt / Certbot aren't really competitors. Certbot issues and automatically renews free SSL certificates from Let's Encrypt. SSL Certificate Expiry monitors certificates and alerts you before they expire. They solve different problems -- and the best setup uses both.
The Quick Version
Certbot is your certificate issuance and renewal tool. SSL Certificate Expiry is your safety net that confirms the renewal actually happened. Certbot is the process. SSL Certificate Expiry is the verification.
Auto-renewal fails more often than you'd think
Certbot renewals can silently fail due to DNS changes, server migrations, permission issues, port conflicts, or expired credentials. When that happens, you won't know until your certificate expires and your users see a browser warning. Monitoring catches these failures before they become outages.
Feature Comparison
| Feature | Let's Encrypt / Certbot | SSL Certificate Expiry |
|---|---|---|
| Issues SSL certificates | Yes -- free, automated | No |
| Auto-renews certificates | Yes -- via cron/systemd | No |
| Monitors certificate expiry | No | Yes -- daily checks |
| Alerts before expiry | Let's Encrypt sends email at 20 days | Yes -- 30, 14, 7, 3, 1 day |
| Escalating alerts | No | Yes |
| Certificate chain validation | No (it issues them correctly) | Yes -- ongoing validation |
| Co-recipient alerts | No | Yes |
| Multi-domain dashboard | No | Yes |
| Works with any CA | No -- Let's Encrypt only | Yes -- any certificate, any CA |
| Detects renewal failures | No -- silent failure | Yes -- certificate still shows old expiry |
| Price | Free | Free (3 certs) / $9/mo (unlimited) |
Why Monitoring Matters Even With Auto-Renewal
If Certbot auto-renews your certificates, why would you need monitoring? Because auto-renewal is a process, and processes fail. Here are the real-world scenarios that catch teams off guard:
DNS changes. You moved your DNS to a new provider and didn't update the Certbot DNS challenge configuration. The HTTP challenge works from the old server, but your new server never gets the renewed certificate.
Server migrations. You migrated to a new server and the cron job that runs certbot renew didn't come along. Everything works until the certificate on the new server expires.
Permission issues. A system update changed file permissions, and Certbot can no longer write to the certificate directory. The renewal command runs, fails silently, and logs an error that nobody reads.
Port 80 conflicts. Certbot's HTTP challenge needs port 80. If another service started using that port, renewal fails. The certificate keeps working until its expiry date, then suddenly it doesn't.
Rate limits. Let's Encrypt has rate limits. If you've hit them (common during testing or with many subdomains), renewal attempts fail and retry later -- sometimes too late.
Wildcard cert complications. Wildcard certificates require DNS challenges, which need API credentials for your DNS provider. If those credentials expire or get rotated, renewal stops working.
Let's Encrypt does send an expiry notification email at 20 days before expiry. But it goes to the email address used during certificate registration -- which might be a former employee, a shared inbox nobody checks, or an address you don't remember setting up. It's a single notification, not an escalating series of alerts.
How They Work Together
The ideal setup is straightforward:
- Certbot handles certificate issuance and renewal automatically. Set it up, schedule the cron job, and let it do its thing.
- SSL Certificate Expiry monitors the actual certificates your servers are presenting. If Certbot successfully renews, SSL Certificate Expiry sees the new expiry date and stays quiet. If renewal fails, SSL Certificate Expiry alerts you at 30 days out, giving you plenty of time to fix the problem.
This works regardless of your certificate source. SSL Certificate Expiry monitors whatever certificate your domain is serving -- whether it came from Let's Encrypt, DigiCert, Sectigo, or any other CA. So even if you have some domains on Let's Encrypt and others on commercial certificates, one monitoring tool covers everything.
The safety net for your auto-renewals
Monitor all your certificates -- Let's Encrypt and otherwise. Get alerts when renewal fails before your users notice.
When to Use Certbot Alone
You have a single site with a simple setup
You actively check your server logs
You have automated testing that catches SSL issues
When to Add SSL Certificate Expiry
You manage certificates across multiple servers
You use certificates from multiple CAs
You've had a renewal fail before
Other people depend on your sites being secure
You want your whole team to know about certificate issues
Our Honest Take
Let's Encrypt and Certbot are genuinely wonderful. Free, automated SSL certificates have made the web more secure for everyone. If you're using Certbot, keep using it -- it's excellent at what it does.
But "automated" doesn't mean "infallible." Auto-renewal is a process running on a server, and like any process, it can fail. When it does, it fails silently. The certificate keeps working right up until the moment it doesn't, and then you have an outage.
SSL Certificate Expiry isn't a replacement for Certbot. It's the verification layer that confirms Certbot did its job. Think of it like having smoke detectors even though you're careful with the stove. The automation handles the common case. Monitoring handles the exceptions.
Related Articles
Related Articles
Part of Boring Tools -- boring tools for boring jobs.
Never miss an SSL certificate expiry
Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.