Good question - thresholds depend on your cert type:
For Let's Encrypt (Origin/Traefik):
- 30 days _ Warning (should have auto-renewed by now)
- 14 days _ Critical (renewal is broken, investigate)
- 7 days _ Page yourself
Let's Encrypt issues 90-day certs and Traefik/Certbot typically renew at 30 days remaining. If you're hitting 30 days, something's stuck - usually a failed ACME challenge or DNS propagation issue.
For Cloudflare Edge:
- 14 days _ Warning (rare, but Cloudflare can hiccup)
Cloudflare auto-manages these, so failures are uncommon. But I've seen edge certs fail to renew on domains with complex CNAME setups.
The origin check is the one that saves you - Cloudflare will happily serve a cached page while your backend cert is expired, and you won't know until someone hits an uncached route and gets a 526 error.
Good question - thresholds depend on your cert type:
For Let's Encrypt (Origin/Traefik):
- 30 days _ Warning (should have auto-renewed by now)
- 14 days _ Critical (renewal is broken, investigate)
- 7 days _ Page yourself
Let's Encrypt issues 90-day certs and Traefik/Certbot typically renew at 30 days remaining. If you're hitting 30 days, something's stuck - usually a failed ACME challenge or DNS propagation issue.
For Cloudflare Edge:
- 14 days _ Warning (rare, but Cloudflare can hiccup)
Cloudflare auto-manages these, so failures are uncommon. But I've seen edge certs fail to renew on domains with complex CNAME setups.
My cron setup:
# Daily check at 6am
0 6 * * * /opt/scripts/check_certs.sh 2>&1 | logger -t cert-check
# Inside the script:
WARN_DAYS=30
CRIT_DAYS=14
if [ $days_remaining -lt $CRIT_DAYS ]; then
# Send to Slack/PagerDuty
elif [ $days_remaining -lt $WARN_DAYS ]; then
# Log warning, email
The origin check is the one that saves you - Cloudflare will happily serve a cached page while your backend cert is expired, and you won't know until someone hits an uncached route and gets a 526 error.