← Back to posts
cloud 8 May 2026

When your SSL certificate expires and you're the last to know

SSLcertbotcloudflarenginxmonitoringuptimerobot

I opened my blog the other day and got hit with a Cloudflare 526 error. Invalid SSL certificate. The site was down.

The certificate had expired. Certbot is supposed to handle renewals automatically, but somewhere in the process it failed silently — no alert, no email, nothing. It just stopped working and waited for me to notice.

What a 526 error actually means

Cloudflare sits between your visitors and your server. When you run in Full (strict) mode, Cloudflare validates the SSL certificate on your origin server before passing traffic through. If that certificate is expired or invalid, Cloudflare blocks the connection and returns a 526.

The chain looks like this:

Visitor → Cloudflare ✅ → Your server ❌ (expired cert) → 526 error

Your server is still running. Nginx is still running. Everything looks fine from the inside — but nobody can reach you.

Diagnosing it

First step was checking the certificate status directly on the server:

sudo certbot certificates

Output confirmed it:

Expiry Date: 2026-05-02 15:21:32+00:00 (INVALID: EXPIRED)

Expired six days earlier.

Why the automatic renewal failed

Certbot uses a challenge mechanism to prove you control the domain before issuing a certificate. The default method (webroot) requires Let’s Encrypt to reach your server over HTTP during the renewal process.

The problem: Cloudflare was returning 526 errors, so Let’s Encrypt couldn’t complete the challenge. Automatic renewal was caught in a loop — it couldn’t renew because the cert was expired, and the cert was expired because it couldn’t renew.

The fix was using the standalone method, which temporarily stops Nginx and lets Certbot handle the HTTP challenge itself:

sudo systemctl stop nginx
sudo certbot certonly --standalone -d lucianosblog.com -d www.lucianosblog.com
sudo systemctl start nginx
sudo systemctl reload nginx

Certificate renewed. Blog back up. New expiry: August 2026.

The real problem: I found out by accident

The certificate had been expired for days before I noticed. That’s the actual issue — not the expiry itself, but the lack of visibility.

CloudWatch was monitoring whether the EC2 instance was running. It was. Nginx was running. From AWS’s perspective, everything was healthy. But the site was returning 526 errors to every visitor.

The fix for this is uptime monitoring — something that checks whether your site actually responds correctly from the outside, not just whether the server is alive.

I set up UptimeRobot — free plan, monitors every 5 minutes, sends an email the moment the site stops responding. Takes about 2 minutes to configure.

UptimeRobot → https://lucianosblog.com every 5 min
        ↓ if no 200 response
Email alert within 5 minutes

It’s a simple check but it covers everything: server down, Nginx crashed, certificate expired, Cloudflare misconfiguration — anything that prevents a real visitor from reaching the site.

What I’m doing differently going forward

The certificate renewal issue is a known limitation of using webroot with Cloudflare in Full (strict) mode. A cleaner long-term solution is switching Certbot to use the Cloudflare DNS challenge instead, which doesn’t require HTTP access during renewal. That’s on the list.

For now, UptimeRobot gives me the visibility I was missing. If the site goes down, I’ll know within 5 minutes — not days later by accident.

Find me on LinkedIn if you want to talk infrastructure.