An expired SSL certificate is one of the most embarrassing and avoidable causes of downtime. Your server is running, your DNS resolves correctly, your application is healthy — but every browser in the world shows a red warning screen and most users turn back. SSL monitoring catches the expiry before it happens.
How SSL certificates expire
Modern SSL/TLS certificates from Let's Encrypt expire every 90 days. Certificates from commercial CAs like DigiCert or Sectigo typically last one to two years. Automatic renewal via certbot or ACME clients works most of the time — but it fails silently when file permissions change, when your web server config is updated, or when a cron job stops running after a server migration. Commercial renewals require manual action and are often managed by the person who originally set them up, who may have since left the team.
What SSL monitoring actually checks
An SSL check connects to your host on port 443, completes the TLS handshake, and reads the certificate expiry date from the response. It then calculates how many days remain. VP Watchtower runs this check hourly and turns the status amber when fewer than 14 days remain, red when fewer than 7 days remain — giving you enough warning to renew before users are affected.
Beyond expiry: what else can go wrong
SSL monitoring also catches certificate mismatches — when your certificate was issued for www.example.com but you are serving it on api.example.com. It catches self-signed certificates that have slipped into production, and it catches certificate chain errors where an intermediate CA was not included in the server configuration. All of these cause browser warnings identical to an expired certificate from a user perspective.
Multi-domain considerations
If you run multiple subdomains — api.example.com, app.example.com, admin.example.com — each needs its own SSL check even if they share a wildcard certificate. A wildcard cert expiry affects all subdomains simultaneously. Add each as a separate service on your status page so the expiry warning is visible for each entry point your customers use.