If your domain expires, anyone can buy it — often within hours. Expired SSL certificates are less lasting but just as harmful. Browsers will block visitors with a full-screen warning until you fix it. Both are quiet failures. No alarm goes off. Your registrar sends a renewal email that lands in spam. By the time you notice, the damage is done.
I lost a client project's domain in 2022. The credit card on file with Namecheap had expired two months earlier. The auto-renew failed without a sound. By the time I noticed 40 days later, the domain was in redemption. Recovery cost $150 on top of the $12 renewal fee. The client's email was down for three days. I now keep a calendar alert for every domain I manage, no matter the auto-renew status.
Can Someone Else Buy My Expired Domain?
Domain expiry doesn't happen all at once. It plays out in stages. Each one gets more costly and harder to reverse.
First there's a grace period — usually about 30 days after the expiry date. During this window, most registrars let you renew at the normal price. Your website and email may already be down. But you can still get the domain back without a fight.
After that comes the redemption period, another 30 days or so. You can still reclaim the domain. But registrars charge steep fees — often $80 to $200 on top of the regular renewal price. Some charge even more. ICANN requires this period. Registrars have no reason to make it cheap.
| Stage | Days After Expiry | Cost to Recover | What Happens |
|---|---|---|---|
| Grace period | 0–30 days | Normal renewal price | Site goes down; domain can still be renewed at standard rate |
| Redemption period | 30–60 days | $80–$200+ premium | Domain held by registrar; steep recovery fee on top of renewal |
| Pending delete | 60–75 days | Not recoverable | Waiting for ICANN release; domain cannot be renewed |
| Public release | 75+ days | Auction / registration price | Anyone can buy it; squatters grab valuable domains in seconds |
And it's not just the website you lose. Every email on that domain stops working. Business cards, invoices, marketing materials — all point to a dead link. Years of SEO rankings vanish overnight. Domains are part of the long list of things people forget expire. This one has some of the steepest costs.
Domain Renewal: Step-by-Step
The renewal process is simple. The hard part is remembering to do it and making sure the payment goes through.
- Log in to your registrar dashboard. Common ones include Namecheap, Cloudflare, GoDaddy, and Porkbun. Don't remember which registrar holds your domain? Do a WHOIS lookup at whois.icann.org. It'll tell you.
- Turn on auto-renew. Every registrar offers this. Make it your default setting. But don't stop there — more on why auto-renew isn't foolproof in a moment.
- Check the payment method on file. If the credit card expires before your domain does, auto-renew fails without warning. Log in and check. Swap in a card that won't expire for at least two years.
- Think about multi-year renewal. Most registrars give a discount if you renew for 2-5 years at once. A .com that costs $12/year might be $9/year on a 3-year renewal. You also remove renewal risk for that whole period.
- Think about moving to a cheaper registrar. GoDaddy's renewal prices are well known to be higher than the first purchase price. Cloudflare sells domains at cost with zero markup. A transfer often costs one year's renewal and extends your time by a year. It pays for itself.
SSL Certificate Types and Lifespans
Not all SSL certificates are the same. The type you have decides how often you need to deal with renewal.
- DV (Domain Validation) — the most common type. Let's Encrypt issues these for free. They last 90 days. Paid DV certs from Comodo or DigiCert usually last 1 year. All DV proves is that you control the domain.
- OV (Organization Validation) — requires proving that your group actually exists. Takes a few days to issue. Lasts up to 1 year. Used by businesses that want more trust than a basic DV cert.
- EV (Extended Validation) — the deepest check. The CA reviews your legal entity, physical address, and who approved it. Also lasts up to 1 year. Banks and financial firms often use these.
- Wildcard certificates — covers a domain and all its subdomains (*.example.com). Available in DV and OV flavors. Same lifespan rules apply.
One rule governs all of them: the CA/Browser Forum caps certificate life at 398 days. That's roughly 13 months. No public CA can issue a cert valid for longer than that. So at a minimum, you're renewing every cert at least once a year.
How to Renew an SSL Certificate
The renewal process depends on how you got the cert in the first place.
Let's Encrypt (free, automated): If you set up certbot or another ACME client the right way, renewal happens on its own every 60-90 days. The catch: "the right way" means a cron job or systemd timer that actually runs. Servers get moved. Cron jobs get deleted. Then your cert expires. Run certbot renew --dry-run to verify auto-renewal is working.
Paid certificates: These require manual renewal. Generate a new CSR (Certificate Signing Request) from your server. Submit it to your CA. Complete the validation they require. Then download the new cert files and install them on your web server. Restart the server after. The whole process takes 15 minutes if you know what you're doing. It can take hours if you're fixing broken certificate chains.
Quick check: Click the padlock icon in your browser's address bar on any page of your site. You'll see the cert's expiry date right there. Or use an online SSL checker like SSL Labs. It tests your cert and flags issues like an upcoming expiry.
Managed hosting: Platforms like Vercel, Netlify, and most modern hosts handle SSL on their own using Let's Encrypt. If you're on one of these, you likely don't need to think about SSL renewal at all. But verify. Don't assume.
The Auto-Renew Trap
Auto-renew is the right default. Turn it on for every domain you own. But don't treat it as a set-and-forget fix. It fails more often than people think.
Expired credit cards are the top reason auto-renew fails. Your card provider issues a new card with a new expiry date. You turn it on and forget that 14 other online services are still trying to charge the old one. Your registrar tries to bill the expired card. The charge fails. Your domain starts its countdown to deletion.
Changed email addresses are the second biggest issue. Registrars send failure notices by email. If the email on file is an old address you no longer check, you'll never see the warning. Even worse: it might be an address on the very domain that's expiring.
Registrar policy changes happen too. Some registrars have switched from auto-renew-by-default to opt-in-only. This resets existing users' settings. Others charge more on auto-renewal than manual renewal. That's sneaky but legal. Always check the renewal price before assuming auto-renew is saving you money.
The pattern here is the same one that causes subscription payment issues in general. You set something up. Your payment details change. The automated system breaks with no warning. One yearly check of every auto-renewing service would prevent most of these failures.
Keeping Everything Tracked
Most small businesses juggle more expiry dates than they think. Two to five domains is typical. Each might be at a different registrar. Then there are SSL certs — maybe separate ones for subdomains, staging setups, and API endpoints. Add hosting, CDN plans, email services, and DNS tools. You've got a dozen renewal dates spread across a dozen dashboards.
A spreadsheet works until it doesn't. The problem: nobody opens them on their own. You update it when you buy a new domain. Then you forget about it for 11 months. By the time you check, something has already lapsed. What you need is a system that comes to you — one that sends alerts 60 days, 30 days, and 7 days before each renewal.
Whatever system you use, track these four things for every domain and cert:
- Registrar or CA name and login credentials (stored in a password manager, not a sticky note)
- Exact renewal date — not just the month. The exact day matters when grace periods are counted in days, not weeks.
- Payment method on file — which card, when that card expires, and whether auto-renew is enabled
- Contact email — the address receiving renewal notices. Make sure it's one you actually read.
This might sound like overkill for a couple of domains. But the business owner who lost her $12-a-year domain and paid $2,500 to get it back would disagree. Tracking costs almost nothing. Forgetting does not.
For official domain info, visit ICANN's domain registration guide. For free automated SSL certs, check out Let's Encrypt — millions of websites use it. Also check your credit card expiration dates. An expired payment method is the top reason auto-renew fails for domains.