2025Let's Encrypt stopped emailing you before your certs expire.

Never explain an expired
certificate again.

An expired or misconfigured certificate takes your site down and puts a scary red warning in front of every visitor. CertPost catches it first — and tells you by email or webhook while it's still a quiet fix. From $9 a month, three free forever.

Free instant check. No signup, no email, no crawler — we read the certificate your server presents to real visitors.

762M
websites lost Let’s Encrypt’s expiry emails in 2025
47-day
certificates by 2029 — about 9x more renewals to get wrong
Minutes
of downtime from one expired cert can cost a day of firefighting

WhyRenewal isn't the risky part.

The ways a certificate takes you down

Watching the renewal job tells you a script ran. It doesn't tell you what your visitors are getting. CertPost checks the certificate on the wire, so you hear about these on day one, not on expiry day.

certbot renewed. nginx never reloaded.

The renewal succeeded on disk, but your server is still handing out the old certificate. You find out the same afternoon, while you can still reload quietly, instead of when it expires.

The intermediate expired, not your cert.

Your certificate was fine. The CA chain behind it was not, and the whole site went down anyway (this is what AddTrust did in 2020). You get warned about a dying link in the chain, not just the leaf.

A customer noticed before you did.

The first sign was a screenshot in your inbox. Instead, you get one clear alert at 30, 14, 7, and 1 day, plus an instant heads-up on chain breaks, hostname mismatches, and unexpected certificate changes.

HowTwo minutes, no agent.

Paste your list. That's the whole setup.

Domains, URLs, or host:port, one per line. No agent to install, no DNS to change. We start checking the moment you add them.

  1. Step 1

    We watch from the outside

    Every 6 hours (down to 15 minutes on Agency), against the exact certificate your visitors receive. Any port, IPv4 and IPv6, wildcards and SANs understood.

  2. Step 2

    You get one alert you can act on

    Email or any webhook. No flapping, no duplicates. A renewed certificate quietly re-arms its own reminders.

  3. Step 3

    Silence never means broken

    A weekly all-clear digest confirms everything is green. If it doesn’t arrive, that tells you something too.

Pricing3 certificates free forever. No card.

One flat price. Stop counting certificates.

Cheaper than TrackSSL from your third certificate, and 74% cheaper by your fiftieth. Add every certificate you're responsible for. We don't count them.

Most popular
Personal
Every certificate for your own sites. One flat price.
$9.00/month
Billed monthly
  • Up to 100 certificates
  • Checks every 6 hours
  • Email & webhook alerts
  • Chain & hostname validation
  • TLS & security-header grades
  • Email authentication (SPF/DKIM/DMARC)
  • DNS security (DNSSEC, CAA, takeover)
  • Domain expiry monitoring
  • Weekly all-clear digest
Team
For teams that share the pager.
$29.00/month
Billed monthly
  • Everything in Personal
  • Unlimited certificates
  • Checks every hour
  • Up to 5 team members
  • Certificate Transparency alerts
  • Reputation & threat intelligence
Agency
Watch every client, prove it with status pages.
$79.00/month
Billed monthly
  • Everything in Team
  • Checks every 15 minutes
  • Public status pages for clients
  • Priority support

Coming from TrackSSL? See the side-by-side comparison

FAQStraight answers

Questions people ask before signing up

The objections worth answering up front. More in the full FAQ.

Do I still need this if I use Let’s Encrypt with auto-renew?

Yes. Auto-renew fails quietly: a DNS challenge breaks, a rate limit hits, or certbot renews but the web server never reloads and keeps serving the old certificate while the logs say success. CertPost checks the certificate your server is actually serving, so a silent failure gets caught before it becomes a browser warning. Let’s Encrypt also stopped sending expiry emails in June 2025, so it is no longer your backstop.

How is CertPost different from UptimeRobot or StatusCake?

Uptime tools ping your site and treat SSL as a checkbox, usually checking leaf expiry only. CertPost is a dedicated certificate monitor: it validates the full chain including expiring intermediates, checks the hostname matches, detects unexpected certificate changes, and works on any TLS port. It also watches your domain registration expiry and Certificate Transparency logs.

What do I get for free?

Three certificates, checked daily, with every alert channel: email and webhooks. Free forever, commercial use welcome, no credit card. Enough for your main domain, www, and API. Personal is $9/month for up to 100 certificates, and Team is unlimited.

Can it monitor mail servers and non-HTTPS ports?

Any TLS port. Add smtp.example.com:465, an LDAPS endpoint on :636, or an admin panel on :8443 the same way you add a website. IPv4 and IPv6 both work. When a mail server certificate expires, mail silently stops, and this is exactly the certificate nobody remembers to renew.

Do I have to install anything?

No agent, no DNS changes, no code. Paste your domains and CertPost checks them from the outside, the same way a browser does. Setup takes about two minutes.

The next expired certificate won't be yours.

Check a domain right now — two seconds, no account. Like what you see? Your first three certificates are free forever.