What is this
We check how long your TLS certificate is still valid. Under 30 days is critical, since some certbot renewals only start 30 days before expiry and you need buffer for problems.
Why it matters
An expired certificate = immediate downtime. Browsers, API clients, and mail servers stop trusting your site. Customers see a warning page.
How to fix it
TransIP: Enable auto-renew under Web hosting > SSL. For uploaded certificates: set a calendar reminder 30 days before expiry.
CloudFlare: Universal SSL and Origin Certificates renew automatically (Origin: 15 years). Custom-uploaded certificates are your own responsibility.
Strato or Antagonist: Auto-renew is on by default for Let's Encrypt. For commercial certificates the panel shows the expiry date, reorder in time.
Other: Run certbot renew in a daily cron or acme.sh --renew. Set up monitoring (Uptime Kuma, BetterStack) on the SSL expiry date with an alert 30 days out.
Verify
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates. Or open the lock icon in your browser > Certificate > Valid until.