By Greg Nowak. Last updated 2026-06-20.
Public TLS certificate renewal used to be forgiving. A calendar reminder, a quick login, a renewal task once or twice a year. That was never ideal, but the margin was wide enough for many organisations to get away with it.
That margin is shrinking. The CA/Browser Forum has approved a phased reduction in public SSL/TLS certificate lifetimes: 200 days from March 15, 2026, 100 days from March 15, 2027, and 47 days from March 15, 2029. TechRadar’s reporting puts the first practical pressure point in plain terms: certificates issued around the March 2026 change begin expiring in early October 2026, which creates a predictable renewal wave.
The business implication is not abstract. Certificate renewal is becoming a server reliability job. It belongs beside backups, patching, service reloads, uptime checks, and incident response. An expired certificate is not just a browser warning. It can interrupt APIs, admin panels, third-party integrations, internal tools, checkout flows, and customer-facing applications.
Manual renewal will not survive a 47-day cycle
The 200-day limit already changes the old annual rhythm. The later 100-day and 47-day limits push certificate operations toward quarterly and then near-monthly discipline. For teams running Apache, Nginx, LiteSpeed, reverse proxies, or CDN-adjacent setups, TLS itself is not suddenly the hard part. The weak point is usually the process around it.
Let’s Encrypt makes the same operational point from the CA side. Shorter certificates reduce the time a bad or stale certificate remains useful, but that benefit depends on automated issuance and renewal. Without automation, the security improvement turns into a more frequent chance to miss a deadline.
The first useful step is inventory. It is common for the main website to renew cleanly while a staging hostname, API endpoint, admin interface, reverse proxy, or old virtual host sits outside the renewal path. Someone has to know what certificates exist, where they are served, how they renew, and which services must reload when the files change.
| Audit area | What to check | Why it matters |
|---|---|---|
| Certificate inventory | Map every public hostname to its certificate, issuer, expiry date, webserver, and renewal method. | Forgotten hostnames are usually exposed first when lifetimes shorten. |
| ACME validation | Confirm HTTP-01, DNS-01, or server-native ACME can complete without a manual step. | Automation breaks if validation still relies on a person being available. |
| Renewal scheduling | Review Certbot cron entries, systemd timers, or the equivalent renewal client schedule. | A valid certificate today does not prove the next renewal will run. |
| Deploy and reload hooks | Test syntax checks, deploy hooks, and graceful reloads for Apache, Nginx, LiteSpeed, and proxy layers. | A renewed certificate file is not enough if the live service keeps serving the old one. |
| Endpoint monitoring | Monitor the certificate presented by each real HTTPS endpoint. | The client-visible certificate is where the outage appears. |
| Rollback path | Document how to reverse a broken config change, change validation method, or restore a working certificate path. | Renewal fixes should not become emergency server rebuilds. |
Certbot still needs supervision
Certbot remains a sensible renewal tool for many servers, but the renewal command is only one part of the operating model. Its documentation explains that certbot renew checks installed certificates for upcoming expiry and attempts renewal. Many installations include automatic renewal through a scheduled task, and Certbot also documents how to verify that scheduling through crontab or systemd timers.
That distinction is where real failures hide. A server can have working Let’s Encrypt certificates today while its renewal timer is disabled, its renewal configuration has drifted, or its deploy hook no longer reloads the active webserver. Certbot’s pre-hooks, post-hooks, and deploy-hooks are useful, but they are also places where small mistakes matter. A hook can restart the wrong service, run with the wrong permissions, fail silently, or update files that production is not actually using.
A proper review should include a dry renewal test where appropriate, a check of renewal configuration, and a reload test against the actual service. For Apache and Nginx, syntax checks before reload should be normal practice. In multi-layer setups, the test needs to verify the outside endpoint, not just files under /etc/letsencrypt.
Apache has a native option
Apache’s mod_md documentation shows another route: Managed Domains with certificate provisioning and renewal through ACME. The module is built to manage shared domain properties across virtual hosts, supervise and renew TLS certificates before expiry, expose certificate status, and support notification commands around renewal, expiration, and errors.
That does not mean every Apache estate should move away from Certbot or existing tooling. It means Apache administrators have a server-native option that may fit some environments better than separate scripts. The right choice is the one that can be inventoried, tested, monitored, and explained clearly to the next person responsible for the server.
The same principle applies to Nginx and LiteSpeed even when the renewal client sits outside the webserver. The certificate lifecycle should be visible in operations: where validation happens, where files land, which process reloads, and how alerts reach someone before users notice the problem.
Renewal timing is becoming more coordinated
The IETF ACME Renewal Information draft is worth watching because it moves renewal timing beyond fixed local assumptions. ARI lets an ACME server give clients a suggested renewal window. The draft explains that this can help servers manage load spikes and stop clients from making false assumptions about the right renewal period.
For server owners, the broader point is that certificate automation is becoming a service chain: CA, ACME client, DNS validation, webserver configuration, reload hooks, and monitoring. A simple cron mindset is too narrow. The ARI draft also notes that cron-based clients may need to run more frequently to check renewal information while still handling failures with proper backoff.
Monitor what users actually receive
Good certificate monitoring should connect like a client and inspect the certificate being served. File checks help, but they do not catch every failure. A reverse proxy may serve a different certificate than the origin. A reload may fail after a successful renewal. A wildcard certificate may renew while a separate hostname remains uncovered. A CDN-adjacent setup may have more than one certificate boundary.
Expiry alerts should therefore be endpoint-based, early, and specific enough to act on. The alert should leave time to fix DNS validation, restore API access, adjust a renewal hook, or roll back a webserver change calmly. With shorter lifetimes, thresholds that once felt generous can become too late for comfortable recovery.
The real case is continuity
This is not certificate housekeeping for its own sake. The commercial risk is avoidable downtime followed by rushed recovery. TechRadar’s warning about the October 2026 cliff is useful because it describes the failure smaller organisations are most likely to face: not an advanced TLS problem, but a process problem exposed by faster renewal cycles.
A focused certificate automation review is a practical server administration project. Find every certificate. Verify ACME renewal paths. Test Apache, Nginx, LiteSpeed, and proxy reloads. Add endpoint expiry monitoring. Document DNS and API dependencies. Write rollback steps before the first urgent renewal incident.
Handled properly, shorter TLS certificates become routine infrastructure maintenance. Left to manual habits, they become a recurring deadline that eventually lands at the worst possible time.
Related on GrN.dk
- OpenSSH 10’s crypto changes make old SFTP integrations a paid cleanup project
- The 2026 WordPress Plugin Exploit Drumbeat Makes Plugin Inventory and Incident Response Paid Work
- Apache 2.4.68 Is a Reminder That Old Proxy Rules Need a Real Audit
Need help with this kind of work?
Book a TLS renewal automation review Get in touch with Greg.