How to Alert When a Certificate Cannot Be Renewed

The internet runs on trust, and a huge part of that trust comes from SSL/TLS certificates. Keeping them renewed is a critical, often automated, task. Most organizations have robust systems to monitor certificate expiry dates, but what happens when the renewal process itself fails? A certificate that's due to expire in 30 days might seem fine on paper, but if your automated renewal system has been silently failing for 20 of those days, you're heading for an outage.

This article dives into the practicalities of detecting and alerting on certificate renewal failures, offering strategies that go beyond simple expiry monitoring. We'll look at how to get insight into the health of your ACME (Automated Certificate Management Environment) clients and infrastructure, ensuring you're alerted long before your public-facing services go dark.

Why Do Renewals Fail?

Certificate renewals, especially with ACME-based services like Let's Encrypt, are designed to be automated and reliable. However, the real world is messy, and many factors can cause a renewal to stumble:

DNS Misconfigurations: This is perhaps the most common culprit for DNS-01 challenges. Incorrect CNAMEs, stale TXT records, or propagation delays can prevent the ACME server from verifying domain ownership.
Firewall Blocks: Outbound connections to ACME servers (e.g., acme-v02.api.letsencrypt.org) might be blocked, or inbound connections for HTTP-01 challenges (port 80) might be disallowed.
Web Server Configuration Issues: The ACME client might fail to write the challenge file to the correct .well-known/acme-challenge directory, or the web server might not be serving it correctly.
Rate Limits: Hitting provider-specific rate limits (e.g., too many failed attempts, too many certificates for a domain) can temporarily halt renewals.
Insufficient Permissions: The ACME client might lack the necessary permissions to modify web server configuration, update DNS records, or write to certificate directories.
ACME Client Bugs or Configuration Errors: An outdated client, a syntax error in its configuration, or a bug can prevent successful execution.
System Resource Exhaustion: Low disk space, memory, or CPU on the server running the renewal process.
API Key Expiry/Revocation: For DNS providers, the API key used by the ACME client might expire or be revoked.
Expired Intermediate Certificates: Less common with modern ACME clients, but an issue if your trust chain is manually managed or misconfigured.

The critical insight here is that many of these issues are infrastructure-related and won't be caught by simply checking the expiry date of the currently active certificate. You need to monitor the process of renewal itself.

The Challenge: Detecting Failure Proactively

Most ACME clients are designed for automation. They run as cron jobs or systemd timers, often silently succeeding. It's their failures that are noisy, typically through non-zero exit codes and detailed logs. Our goal is to capture this "noise" and turn it into actionable alerts.

A key distinction: * Expiry Monitoring: Tells you when a certificate will expire. * Renewal Failure Alerting: Tells you if your system is capable of renewing that certificate.

You need both. Expiry monitoring is your safety net, but renewal failure alerting is your early warning system, allowing you to fix issues long before they become critical.

Strategies for Alerting on Renewal Failure

Let's look at practical methods to detect and alert on renewal problems.

1. ACME Client Exit Codes & Script Wrappers

The simplest and most fundamental way to detect a renewal failure is by checking the exit code of your ACME client. Standard Unix practice dictates that a program exits with 0 on success and a non-zero value on failure.

You can wrap your renewal command in a simple script that checks this exit code and triggers an alert. This method works well for certbot, acme.sh, lego, and other command-line ACME clients.

Concrete Example 1: Basic certbot Renewal Script with Alerting

Let's say you have a cron job that runs certbot renew. You can enhance it:

#!/bin/bash

LOG_FILE="/var/log/certbot-renewal.log"
ALERT_EMAIL="your_oncall_email@example.com"
HOSTNAME=$(hostname)

# Redirect all output to a log file
exec > >(tee -a $LOG_FILE) 2>&1

echo "--- Certbot Renewal Attempt on $(date) ---"

# Use --dry-run for testing, remove for actual renewal
# certbot renew --dry-run
certbot renew

# Check the exit code of the last command
if [ $? -ne 0 ]; then
    echo "Certbot renewal FAILED on $HOSTNAME!"
    echo "Review logs at $LOG_FILE for details."

    # Send an email alert
    # On many Linux systems, 'mailx' or 'mail' needs to be installed and configured
    echo "Certbot renewal FAILED on $HOSTNAME. Check logs: $LOG_FILE" | \
        mail -s "CRITICAL: Certbot Renewal Failure on $HOSTNAME" $ALERT_EMAIL

    # Alternatively, send to Slack via webhook (requires 'curl' and a Slack webhook URL)
    # SLACK_WEBHOOK_URL="https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
    # curl -X POST -H 'Content-type: application/json' --data '{"text":"<!channel> CRITICAL: Certbot renewal FAILED on '$HOSTNAME'. Check logs for details."}' $SLACK_WEBHOOK_URL

    exit 1 # Indicate script failure
else
    echo "Certbot renewal SUCCEEDED on $HOSTNAME."
    exit 0 # Indicate script success
fi

This script does the following: * Logs all output to a file. * Runs certbot renew. * Checks the exit code ($?). * If failure (-ne 0), it prints an error, sends an email (or Slack message), and exits with a non-zero code itself. * If success, it simply logs a success message.

You can schedule this script via cron or systemd.timer instead of directly calling certbot renew.

2. Monitoring ACME Client Logs

While exit codes tell you if a renewal failed, logs tell you why. ACME clients typically produce verbose logs that detail every step of the challenge and renewal process. Integrating these logs into your existing log aggregation and monitoring systems can provide deeper insights.

You can configure your log monitoring solution (e.g., ELK Stack, Splunk, Grafana Loki, Promtail, Datadog, Sumo Logic) to parse certbot's logs (usually found in /var/log/letsencrypt/) or the custom log file from the script above.

Concrete Example 2: Parsing certbot Logs for Specific Errors

If you're using systemd to manage certbot (e.g., systemctl status certbot.timer), its output often goes to the journal. You can use journalctl to inspect it.

```bash

To view logs for certbot.service or certbot.timer

journalctl -u certbot.service -u certbot.timer -n 100 --since "1 day ago" | grep -i "failed|error|challenge problem"

Example of a cron job that checks logs for errors and alerts

!/bin/bash

This script would run periodically, e.g., daily, independent of the renewal attempt

It looks for specific failure patterns in recent logs.

LOG_FILE="/var

How to Alert When a Certificate Cannot Be Renewed

How to Alert When a Certificate Cannot Be Renewed

Why Do Renewals Fail?

The Challenge: Detecting Failure Proactively

Strategies for Alerting on Renewal Failure

1. ACME Client Exit Codes & Script Wrappers

2. Monitoring ACME Client Logs

To view logs for certbot.service or certbot.timer

Example of a cron job that checks logs for errors and alerts

!/bin/bash

This script would run periodically, e.g., daily, independent of the renewal attempt

It looks for specific failure patterns in recent logs.

Related articles

Watch your TLS certs so you don't have to.