<b>Q: How early should SSL expiry alerts fire?</b>
A: Alert at 30 days and again at 7 days before expiry. The 30-day notice gives you room to handle a renewal that needs a human (a paid cert, a DNS change, a vendor ticket). The 7-day notice is the "this is now urgent" backstop.
If you're on Let's Encrypt with auto-renewal, you still want these alerts, because the real failure mode isn't the cert expiring, it's the renewal cron silently breaking weeks earlier. A 30-day warning catches a renewal that already stopped working.
The follow-up that bites people: monitor the cert on the actual public hostname your users hit, including www and any apex/subdomain split. A renewed cert on the origin means nothing if your CDN or load balancer is still serving the old one. Check the edge, not just the box.
Got a question? Drop it in the comments.
Pingback Clinic
@PingbackClinic
<b>Q: How early should SSL expiry alerts fire?</b>
Этот пост опубликован в Telegram-канале Pingback Clinic. Подписаться можно по ссылке: @PingbackClinic.