Understanding and Renewing SSL Certificates

What SiteWatch checks

SiteWatch connects directly to your server on port 443 and inspects the SSL/TLS certificate. It checks:

• Expiration date: How many days until the certificate expires
• Hostname match: Does the certificate match your domain name?
• TLS version: Is the server using a modern TLS version?
• Certificate chain: Is the full chain of trust valid?
• Issuer: Who issued the certificate (Let's Encrypt, DigiCert, etc.)

The check frequency adapts to urgency: weekly when expiration is far away (>90 days), daily within 90 days, and twice daily within 30 days.

How to read your results

• OK (green): Certificate is valid and expires in more than 30 days.
• Warning (amber): Certificate expires within 30 days. Time to renew.
• Critical (red): Certificate expires within 7 days or has already expired.

Common issues and fixes

Certificate has expired

An expired certificate means browsers will show a full-page security warning to your visitors. Most will leave immediately.

If you use Let's Encrypt (most common):

Let's Encrypt certificates auto-renew via certbot. If renewal failed:

# Check certbot status
certbot certificates

# Force renewal
certbot renew --force-renewal

# Reload your web server
systemctl reload nginx

Common reasons auto-renewal fails: - Port 80 is blocked (Let's Encrypt needs it for verification) - DNS has changed and the domain no longer points to this server - Certbot cron job was removed or disabled

If you use a paid certificate:

Contact your certificate authority or reseller to renew. After receiving the new certificate files, install them:

# nginx - update certificate paths in your config
ssl_certificate /etc/ssl/certs/yourdomain.crt;
ssl_certificate_key /etc/ssl/private/yourdomain.key;

# Reload
systemctl reload nginx

Certificate expires soon (warning)

You have time, but act now. If you use Let's Encrypt, try a manual renewal:

certbot renew

If it fails, check the logs at /var/log/letsencrypt/letsencrypt.log.

Hostname mismatch

The certificate was issued for a different domain than the one SiteWatch checked. This causes a browser warning. Common scenarios:

• You added a subdomain but didn't update the certificate
• The certificate is for www.example.com but you're serving example.com
• You moved to a new domain but kept the old certificate

Fix with Let's Encrypt:

# Add all needed domains
certbot certonly --nginx -d example.com -d www.example.com

Outdated TLS version

If SiteWatch detects TLS 1.0 or 1.1, your server is using an outdated protocol with known vulnerabilities. Modern browsers are dropping support for these versions.

nginx fix:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

Setting up auto-renewal

The best fix for SSL problems is to never think about them. Set up automatic renewal:

# Install certbot if not already installed
apt install certbot python3-certbot-nginx

# Get a certificate
certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Verify auto-renewal is set up
systemctl list-timers | grep certbot

Let's Encrypt certificates last 90 days and auto-renew at 60 days. SiteWatch monitors the actual expiration date, so you'll get an alert if auto-renewal silently fails.