Let's Encrypt renewal monitoring
Let's Encrypt is the best thing to happen to SSL since SSL. It's also the source of the single most common cert horror story: 'I ignored the renewal email because it had always auto-renewed.' ManageCert is the independent observer that catches a broken renewal cycle the day it stops working — usually 50-80 days before your cert actually expires.
Every Let's Encrypt + automatic-renewal story ends the same way: it had been working for years, the cron / Caddy / Certbot / Cloudflare integration / Vercel auto-issue / [your tool] handled it, until quietly it didn't. The renewal failed once, then twice, then 30 times — silently, with no notification — until day 90 hit and visitors saw a browser warning. ManageCert is the second pair of eyes that watches the cert that's ACTUALLY served on port 443, not the dashboard that claims it's fine.
Why ManageCert for Let's Encrypt renewals
Catches every known LE failure mode
CDN proxy intercepting `/.well-known/acme-challenge/`, DNS-01 validation breaking after a DNS migration, rate-limit hits from too-frequent retries, ACME account key issues. We don't diagnose the cause — we just tell you the public cert is still old.
Independent of your renewer
Whether you use Certbot, Caddy, acme.sh, Traefik, Vercel auto-issue, Netlify auto-issue, Cloudflare Origin certs, or any other LE tool — we hit your public domain and tell you what cert visitors get. The renewer is a black box to us; results are not.
Plain-English alerts when something breaks
When the daily check shows the same cert expiring sooner each day (renewal not happening), you get an email + Slack/Discord with a one-line plain-English explanation. Anthropic Haiku writes the explanation; we cache by issue fingerprint so it costs us pennies.
SSL, domain expiry, DNS — daily, across all your domains.
SSL certificates
Expiry, issuer, SANs, chain validity, hostname match. Alerts at 30/14/7/1 days, plus immediate if invalid.
Domain registration
RDAP + WHOIS lookups daily. Alerts at 60/30/14/7 days. Catches lapsed-domain → squatter before it happens.
DNS records
A/AAAA/MX/CNAME/TXT/NS snapshot + diff. Catches mid-night MX flips before mail breaks for a week.
Frequently asked
- Why does Let's Encrypt auto-renewal fail silently so often?
- Because the renewal process (ACME) needs DNS or HTTP validation to succeed every 60-90 days. If anything about the network path changes (DNS provider switch, CDN proxy toggle, firewall rule, deleted A record), validation stops working — but your existing cert keeps serving for weeks until its expiry. The window between renewal-broken and cert-expired is the silent killer.
- Will you fix the renewal for me, or just tell me it's broken?
- We tell you it's broken — quickly and clearly. Fixing is up to you (or your hosting provider). We don't touch your infrastructure; we observe from the outside. This is by design — we don't want to be in the critical path of your renewal pipeline.
- How is this different from just monitoring cert expiry?
- Expiry monitoring tells you the cert expires in N days. Renewal-failure monitoring catches the cause weeks earlier: a healthy auto-renewal would have rotated the cert to a fresh 90-day window by now. If it hasn't, something's broken. We surface the pattern, not just the deadline.
- What CDNs / hosts is this most useful for?
- Anywhere LE renewal is automatic but the failure mode is silent: Cloudflare proxy (intercepts ACME), Netlify (DNS validation breaks on registrar changes), Heroku ACM, Vercel custom domains, self-hosted Caddy/Certbot installs, AWS EC2 with cron-based Certbot. All have well-documented silent-renewal-failure modes.
Ready to stop worrying?
Solo $19 · Pro $39 · Agency $99 · Studio $249. 14-day free trial. Annual saves 20%.