My certificates auto-renew — why do I still need this?
Because auto-renewal fails silently, and the failure modes are mundane:
- an expired card on the ACME or CA account,
- a DNS or firewall change that quietly breaks the renewal challenge,
- a forgotten subdomain served from a different stack that nobody re-pointed,
- a renewal cron that stopped running after a server move,
- a load balancer still serving an old cert because the new one didn't deploy.
In every case the automation "succeeds" right up until it doesn't, and nothing tells you. The first signal is usually a browser security warning — seen by a customer, not by you — and by then it's an incident.
What CertSentry actually checks
We connect to the host and read the certificate that's being served right now — not what your CA issued, but what visitors actually get. That distinction matters: plenty of outages are "the cert renewed fine, but the wrong one is deployed."
We then alert on a schedule before expiry — 30, 14, 7, 3 and 1 days ahead by default — so a broken renewal surfaces a week early, with time to fix it calmly.
Beyond the countdown
Expiry isn't the only failure. CertSentry also catches a served certificate that's become invalid the moment it appears:
- a hostname that doesn't match the certificate,
- an untrusted or incomplete chain,
- a certificate replaced with a broken or self-signed one.
Tune the lead times in when SSL expiry alerts fire.