SSL certificate renewal manager · commands + auto-renew + expiry
An expired certificate is such a dumb way to take a site down. Avoidable, every time. So pick your ACME client, pick a challenge, and this thing spits out the full issue, renew, dry-run and auto-renewal schedule for certbot, acme.sh, lego, dehydrated, Caddy, cert-manager (Kubernetes), win-acme and Posh-ACME. Ready to paste. The expiry calculator does the boring math: days left, and the day you should actually renew. And the openssl snippets read any cert (live or sitting on disk), check the chain, poke at OCSP stapling, even nag you by email before the thing lapses. None of it leaves your browser.
Tip: Let's Encrypt certs live 90 days. Renew at 60 (so you’ve still got 30 in the tank if something goes sideways). Drop your expiry date in the box above, or pull it straight off the cert with the openssl line in the “Check expiry” tab.
How certificate auto-renewal works
Every TLS/SSL certificate has a shelf life. 90 days for Let's Encrypt and ZeroSSL, longer if you pay a CA for the privilege. Auto-renewal is just an ACME client waking up every day, checking the clock, and re-issuing before things lapse. Then it reloads your web server so the new file actually gets served. Issuing the cert? Easy. That part basically never breaks. What breaks, and I’ve watched it happen more than once, is the reload hook nobody wired up (fresh cert on disk, old one still going out to browsers) or a scheduler that quietly died months ago and nobody noticed. So this tool hands you the renewal command and the schedule both, plus a dry-run so you can prove the whole thing works before you trust it with anything that matters.
Pick the right ACME client
| Client | Best for |
|---|---|
certbot | The Let's Encrypt reference client on Linux with nginx/apache plugins. Installs its own systemd timer. |
acme.sh | Pure shell, no dependencies, huge list of DNS providers. Installs its own cron job. |
Caddy | Web server with automatic HTTPS built in. Nothing to schedule, it renews itself. |
win-acme | Windows and IIS. Creates a Windows Scheduled Task automatically. |
Posh-ACME | PowerShell module for Windows automation and DNS challenges. |
HTTP-01 vs DNS-01 validation
HTTP-01 proves you own the domain by serving a little token over port 80. You can do that through the nginx or apache plugin, or point it at a webroot folder, or just let the client spin up a standalone server for a second. Simplest path, honestly. The catch: it flat-out can’t do wildcards. DNS-01 proves the same thing a different way, by dropping a TXT record into your zone. That works even when the box is firewalled off, and it’s the only route to a wildcard (*.example.com). So go DNS-01 with your provider plugin if you need that wildcard, or if port 80 just isn’t reachable from the outside.
Frequently asked questions
How do I check when my SSL certificate expires?
Live site? Run echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate. Got the file locally instead, openssl x509 -enddate -noout -in cert.pem does it. Or skip the terminal entirely: paste the date into the calculator up top and it’ll tell you the days left plus when you ought to renew. The “Check expiry” tab builds these lines for your own domain, by the way.
When should a Let's Encrypt certificate be renewed?
90 days, that’s the Let's Encrypt lifespan. The clients jump in around day 60 on their own, which buys you a 30-day cushion. Try to renew sooner than the 30-days-left mark and nothing happens, it’s a no-op unless you force it. Which is exactly why a daily timer that only fires when there’s actually work to do is the right call.
Why did my certificate expire even though auto-renew was set up?
Almost always one of two things. Either the scheduler quietly stopped (go check systemctl list-timers or your cron) or the renewal actually worked but nothing reloaded the web server, so it just kept handing out the stale cert. Wire up a deploy or reload hook like systemctl reload nginx and don’t skip it. Then run the dry-run this tool spits out to confirm the loop closes.
How do I test renewal without hitting rate limits?
Dry-run it. certbot renew --dry-run if you’re on certbot, or aim at the staging endpoint with whatever client you’ve got. The dry-run talks to the Let's Encrypt staging environment, so it won’t eat into your production rate limit and won’t touch your live certificate either. Test all you want.
Can I get a wildcard certificate this way?
You can, but DNS-01 is the only way in. Pick DNS-01 and your provider above, then toss in a domain like *.example.com. The client writes a TXT record to prove you control the entire zone, and that’s a trick HTTP validation simply can’t pull off.
Is this tool safe to use with my domain details?
It is. The whole thing runs in your browser and all it does is stitch together command text from what you typed. Nothing gets sent anywhere, not your domains, not your email, not keys. Copy the commands out and run them on your own box.
Sources & further reading
- RFC 8555: Automatic Certificate Management Environment (ACME)
- Let’s Encrypt: How It Works
- certbot documentation (EFF)
- RFC 5280: X.509 Certificate and CRL Profile
- CA/Browser Forum: Baseline Requirements
