ExpiryPing
← Back to Blog

July 3, 2026 · 5 min read

Your SSL Is Fine. Your Domain Just Expired.

SSL certificates and domain registrations expire independently, from different vendors, with different failure modes. Monitoring one does not protect you from the other.

Most sites that go dark look identical from the outside: browser error, site unreachable, client calling. But SSL expiry and domain expiry are completely different systems that fail in completely different ways.

If you're monitoring SSL certificates but not domain registrations, you have a blind spot.

The Difference in Plain Terms

An SSL certificate proves your server is who it claims to be. It's issued by a Certificate Authority — Let's Encrypt, DigiCert, Sectigo — and expires on its own schedule, independent of everything else.

A domain registration is the lease on your hostname from a registrar — Namecheap, GoDaddy, Cloudflare. If you don't renew it, the name stops resolving. DNS entries disappear. Your SSL certificate becomes irrelevant because no domain is pointing at your server anymore.

Both take your site offline. Neither one tells the other anything.

Why Domain Expiry Gets Missed

SSL expiry has received a lot of attention — 90-day certificate lifespans, Let's Encrypt automation, browser warnings that are impossible to ignore. Domain expiry hasn't gotten the same scrutiny.

A few reasons it slips through:

  • Domains renew annually or multi-year, not every 90 days. A 12-month interval is long enough to forget entirely.
  • Registrar notifications go to whatever email was on the account at registration — often a personal address, a shared inbox no one owns, or a previous employee's account.
  • Auto-renew is per-domain, not per-account. A domain added during a busy sprint may not have auto-renew toggled on.
  • Payment failures are silent. If the card on file expired or was cancelled, the renewal charge fails quietly and the domain keeps working right up until it doesn't.

The asymmetry with SSL: a broken auto-renewal surfaces within 90 days with a 30-day warning buffer. A missed domain renewal can go unnoticed for an entire billing cycle — and the first sign is often a downed site, not an email.

What Happens When a Domain Expires

The sequence moves quickly once it starts:

  • Expiry date passes — DNS records stop resolving within hours
  • Grace period (typically 0–30 days) — domain is unreachable but renewable at standard price
  • Redemption period (30–60 days) — domain suspended, recovery costs jump significantly
  • Pending delete — domain queued for public release
  • Released to public — anyone can register it, including squatters and competitors

The final step is the failure mode with no clean recovery path. It has happened to companies that weren't paying attention. A lapsed registration plus a missed renewal email is all it takes.

The Confusing Diagnostic

When a domain expires, browsers may still display the old SSL certificate in developer tools if there's DNS cache in play. The certificate looks valid. The expiry date is months away. But the site is completely unreachable.

This sends people chasing the SSL problem when the domain registration is the actual issue.

External SSL monitoring doesn't catch domain expiry. Domain monitoring doesn't catch SSL problems. They're separate checks on separate systems, and neither one substitutes for the other.

Monitoring Both

For SSL: a direct TLS connection to the hostname reads the certificate expiry date — the same check a browser performs.

For domain expiry: a WHOIS query returns the registration expiry date. No access to the registrar account is required. WHOIS data is public.

ExpiryPing runs both checks daily for every domain you add. SSL expiry comes from a live TLS handshake. Domain expiry comes from WHOIS. Both alert at 30, 14, 7, and 1 day out — independently, because they're independent clocks running down toward different failures.

No credentials required for either check. You add the hostname, it watches.

What to Check Right Now

Log into your registrar and confirm for every active domain:

  • Auto-renew is enabled
  • The payment method on file is current and not expired
  • The account email is an inbox someone actually reads

Then add external monitoring so you get an independent alert before any of that fails silently. Domain expiry is the quieter sibling of SSL expiry — less discussed, same result.

ExpiryPing monitors both SSL certificates and domain expiry — alerts at 30, 14, 7, and 1 day

ExpiryPing monitors SSL certificates and domain expiry, with alerts at 30, 14, 7, and 1 day. No credentials required.

Start Free