At some point, every self-hoster has woken up to expired certs.
The site’s down, the browser screams, and you’re manually copying PEM files at 2 a.m.
It doesn’t have to be like this.
Automate Early, Sleep Later
Manual renewal is a time bomb:
- Human memory is unreliable
- Cert lifetimes are shorter than ever
- You will forget the one that matters most
Use ACME clients (like certbot, acme.sh) to auto-renew:
- Schedule renewals with
cronor systemd timers - Hook into your web server or reverse proxy for reloads
- Test the full chain, not just issuance
Centralise Where Possible
If you run multiple services:
- Terminate TLS at a reverse proxy (nginx, Caddy, Traefik)
- Let the proxy handle cert renewal; backend traffic stays internal
- Fewer certs to track, less duplication
Centralisation reduces moving parts, but document your setup.
Wildcards and SANs
Let’s Encrypt supports:
- Wildcard certs for
*.yourdomain.com - Subject Alternative Names for multiple subdomains on one cert
Fewer certs means fewer expiry points — just keep DNS automation secure.
Monitor Expiry Proactively
Even with automation:
- Set up a simple script or use an external service to alert 30 days before expiry
- Log renewals and reload failures
- Make expiry dates visible in your dashboard or status page
Trust, but verify.
Don’t Forget Internal Services
Intranets and self-signed certs rot too:
- Use your own ACME-compatible CA (e.g.
step-ca) for internal endpoints - Distribute trust anchors to devices once, not per-service
- Treat “internal” with the same paranoia as “external”
Certificates Are Plumbing
TLS isn’t glamorous. It’s infrastructure glue:
- You don’t need enterprise PKI to get it right
- You need automation, visibility, and recovery paths
A boring cert setup is a healthy one.
No more weekend fire drills.