DEV Community

Lineu Graeff
Lineu Graeff

Posted on

SSL certificates just got a lot shorter — what it means for agencies managing client sites

#automation #devops #news #security

Most developers I've talked to don't know this yet.
In March 2026 the CA/Browser Forum officially reduced the maximum SSL certificate lifespan from 398 days to 200 days. By 2027 it drops to 100 days. By 2029 it's 47 days.
That's 8x more renewal cycles per year by 2029.
The real problem isn't renewal
Let's Encrypt, Cloudflare, and most modern hosting handles renewal automatically. The problem is when auto-renewal fails silently.
And it does fail. More often than you'd think.
Here's how it happens:

DNS challenge fails after a nameserver migration
Let's Encrypt rate limiting kicks in
Nginx or Apache doesn't reload after cert renewal
Wildcard certs that can't auto-renew without manual steps
Client moves hosting, breaks the automation, nobody notices

In every one of these cases the cert expires. The browser shows a security warning. The client calls you.
Domain expiry is worse
At least SSL has auto-renewal as a partial solution. Domain expiry doesn't.
Auto-renew on a domain requires:

Credit card on file at the registrar
Card not expired
Registrar actually processing the charge
Client not accidentally disabling it

I've seen agencies lose client domains because the registrar renewal email went to a former employee's inbox. The domain expired, dropped, and a squatter picked it up within hours.
What the 47-day change means in practice
By 2029 you'll be managing roughly 8 renewal cycles per year per domain instead of one. More cycles means more chances for something to go wrong.
For an agency managing 30 client sites that's potentially 240 renewal events per year to stay on top of.
How I'm handling it
I built ExpiryPing after dealing with this problem on my own freelance work. It monitors SSL certificates and domain expiry across all your client sites and sends email and Slack alerts at 30, 14, 7, and 1 day before anything expires.
No credentials required — you just add the domain name. It connects via standard TLS handshake. Setup takes about 5 minutes for 10 sites.
Free tier available for up to 3 domains. If you want to try it: expiryping.dev
Happy to answer any questions about the SSL lifespan changes or how the monitoring works technically.

Top comments (0)