Certificate renewal

Certificate renewal is the periodic re-issuance of TLS certs before they expire. Let's Encrypt certs are valid 90 days; commercial certs are typically 1 year. Either way, you don't get to set it and forget it.

The standard cadence

• Issue at 90 days remaining (Let's Encrypt default validity).
• Begin renewal at 30 days remaining. Plenty of buffer for retries.
• Alert if 14 days remaining and not renewed. Something is wrong.
• Alert loud if 7 days. Active incident.
• Cert expired. Outage; the domain stops working.

Most ACME clients (certbot, acme.sh, lego) handle this with a daily cron that checks every cert and renews anything in the renewal window.

What can go wrong

DNS broke. Customer changed their DNS, the challenge now fails. Renewal retries and fails. You need to detect the renewal failure and email the customer.

Rate-limited. You're trying to renew too many certs at once and Let's Encrypt is throttling you. Stagger renewals over a wider window.

ACME account locked. Your account hit a hard limit or got flagged. Need to switch to a backup account.

Edge can't see the new cert. Renewal happened on a control plane node but the cert never got distributed to the edge nodes. Old cert keeps serving until it expires.

Why this matters for SaaS

In a single-domain world, expired certs are an embarrassing outage. In a multi-tenant world, an expired cert affects one customer at a time, but if your renewal pipeline has a bug, you can lose 50 customer domains in a single bad rollout.

This is one of the strongest arguments for a custom-domain API: renewal automation is a critical reliability surface that's hard to get right and not core to your product. Outsourcing it is a good trade.