DEV Community: Lineu Graeff The latest articles on DEV Community by Lineu Graeff (@lineu_graeff). https://dev.to/lineu_graeff https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3968571%2Fa5fa1610-506e-42e7-bd1a-4c2f601a13e7.png DEV Community: Lineu Graeff https://dev.to/lineu_graeff en SSL certificates just got a lot shorter — what it means for agencies managing client sites Lineu Graeff Thu, 04 Jun 2026 15:50:25 +0000 https://dev.to/lineu_graeff/ssl-certificates-just-got-a-lot-shorter-what-it-means-for-agencies-managing-client-sites-19bo https://dev.to/lineu_graeff/ssl-certificates-just-got-a-lot-shorter-what-it-means-for-agencies-managing-client-sites-19bo <p>Most developers I've talked to don't know this yet.<br> In March 2026 the CA/Browser Forum officially reduced the maximum SSL certificate lifespan from 398 days to 200 days. By 2027 it drops to 100 days. By 2029 it's 47 days.<br> That's 8x more renewal cycles per year by 2029.<br> The real problem isn't renewal<br> Let's Encrypt, Cloudflare, and most modern hosting handles renewal automatically. The problem is when auto-renewal fails silently.<br> And it does fail. More often than you'd think.<br> Here's how it happens:</p> <p>DNS challenge fails after a nameserver migration<br> Let's Encrypt rate limiting kicks in<br> Nginx or Apache doesn't reload after cert renewal<br> Wildcard certs that can't auto-renew without manual steps<br> Client moves hosting, breaks the automation, nobody notices</p> <p>In every one of these cases the cert expires. The browser shows a security warning. The client calls you.<br> Domain expiry is worse<br> At least SSL has auto-renewal as a partial solution. Domain expiry doesn't.<br> Auto-renew on a domain requires:</p> <p>Credit card on file at the registrar<br> Card not expired<br> Registrar actually processing the charge<br> Client not accidentally disabling it</p> <p>I've seen agencies lose client domains because the registrar renewal email went to a former employee's inbox. The domain expired, dropped, and a squatter picked it up within hours.<br> What the 47-day change means in practice<br> By 2029 you'll be managing roughly 8 renewal cycles per year per domain instead of one. More cycles means more chances for something to go wrong.<br> For an agency managing 30 client sites that's potentially 240 renewal events per year to stay on top of.<br> How I'm handling it<br> I built ExpiryPing after dealing with this problem on my own freelance work. It monitors SSL certificates and domain expiry across all your client sites and sends email and Slack alerts at 30, 14, 7, and 1 day before anything expires.<br> No credentials required — you just add the domain name. It connects via standard TLS handshake. Setup takes about 5 minutes for 10 sites.<br> Free tier available for up to 3 domains. If you want to try it: expiryping.dev<br> Happy to answer any questions about the SSL lifespan changes or how the monitoring works technically.</p> automation devops news security