HomeReadTools deskThe standard stack for SSL certs outside Kubernetes
Tools·Jul 7, 2026

The standard stack for SSL certs outside Kubernetes

A practical guide to the default open-source tools for SSL certificate renewal and monitoring on traditional servers, based on established community practices for non-containerized workloads. The…

A practical guide to the default open-source tools for SSL certificate renewal and monitoring on traditional servers, based on established community practices for non-containerized workloads.

The Answer Up Front

For teams running services on Linux virtual machines or bare metal, the standard choice is Certbot, the EFF's client for the free Let's Encrypt certificate authority. For Windows Server and IIS, the equivalent is win-acme. To monitor certificate expiration, use Prometheus's blackbox_exporter. This stack is free, battle-tested, and automates a process that was once manual and error-prone. Skip this approach only if you have specific enterprise or compliance requirements for a commercial Certificate Authority (CA).

Methodology

This v0 review synthesizes established best practices for SSL certificate management as reflected in a community discussion on Reddit. It is not a hands-on benchmark but an overview of the de facto standard toolchain for environments outside of Kubernetes. Update cadence: this piece will be updated if a significant new tool displaces the current standards.

  • Tools Observed: Certbot (v2.11.0), win-acme (v2.2.10), Prometheus blackbox_exporter (v0.25.0)
  • Date Observed: June 27, 2026
  • Source Signal: "Certificate renewal and monitoring" from r/devops, URL: https://www.reddit.com/r/devops/comments/1uf5wh3/certificate_renewal_and_monitoring/
  • What's Covered: The function and typical use case for each component of the standard free stack: obtaining, renewing, and monitoring SSL certificates.
  • What's Not Covered: Independent performance testing, edge-case configurations (like complex DNS challenges for wildcard certificates), paid enterprise Certificate Lifecycle Management (CLM) platforms, or Kubernetes-native solutions like cert-manager.

What It Does

This stack solves the three core problems of certificate management: issuance, renewal, and monitoring.

Issuance and renewal on Linux

Certbot is a command-line client that automates interactions with any ACME-compliant CA, most commonly the free Let's Encrypt service. For a standard web server, the process is straightforward. Running certbot --nginx or certbot --apache will automatically detect your server configuration, request a certificate, prove you control the domain (the "ACME challenge"), and install the certificate. Crucially, it also configures a cron job or systemd timer to run certbot renew periodically, which handles renewal automatically before the 90-day certificates expire.

Issuance and renewal on Windows

For Windows environments, particularly those using Internet Information Services (IIS), win-acme is the direct equivalent of Certbot. It's an interactive command-line tool that guides the user through selecting an IIS site, setting up the validation method, and installing the certificate. Like Certbot, it creates a Scheduled Task in Windows to handle automatic renewals, making it a set-and-forget solution for most use cases.

Expiration monitoring

Prometheus's blackbox_exporter provides external monitoring for your endpoints. It can be configured to perform an ssl probe on an HTTPS endpoint. This probe returns metrics, including probe_ssl_earliest_cert_expiry, a timestamp for when the certificate will expire. You can then configure Prometheus to scrape this metric and an Alertmanager rule to fire an alert if the certificate is, for example, within 14 or 30 days of expiration. This provides a critical safety net, notifying you if the automated renewal process fails for any reason.

What's Interesting / What's Not

The most interesting aspect of this toolchain is that it represents a solved problem for the vast majority of users. The combination of the ACME protocol, Let's Encrypt's free CA, and robust clients like Certbot and win-acme effectively demonetized basic SSL certificates. What was once a recurring operational cost and a manual, risky process is now a free, automated background task. This is a foundational piece of modern web infrastructure.

The monitoring component is a classic example of the Prometheus philosophy. Instead of checking from inside the server (where a broken renewal script might falsely report success), blackbox_exporter checks from the outside, verifying what a real user would see. This external, black-box approach is more resilient.

What's not interesting is the pace of innovation. These tools are mature and stable, which is exactly what you want for critical infrastructure. The primary risks are not bugs in the tools themselves but environmental issues: a firewall blocking an ACME challenge, a misconfigured cron job, or a DNS change that invalidates the setup. The solution is not a different tool, but robust monitoring, which is where blackbox_exporter fits in.

Pricing

All components of this stack are free and open source.

  • Let's Encrypt: Free certificate authority.
  • Certbot: Free client, maintained by the EFF.
  • win-acme: Free client (MIT License).
  • Prometheus blackbox_exporter: Free monitoring tool (Apache 2.0 License).

Pricing snapshot taken June 27, 2026. The only cost is the engineering time for the initial setup, which is typically less than an hour per server.

Verdict

For any founder or small team running services on virtual machines or bare metal, this is the default stack for SSL certificate management. There is little reason to consider anything else unless you have specific compliance or institutional requirements that mandate a commercial CA. The combination is reliable, free, and follows best practices for automation and monitoring.

If you are on Linux, use Certbot. If you are on Windows, use win-acme. In either case, use Prometheus and its blackbox_exporter to monitor expiration dates from an external perspective. This provides a safety net against silent failures in the automated renewal process.

What We'd Test Next

For a v2 review, we would move from community consensus to hands-on testing. First, we would compare the user experience and error handling of different ACME clients, including Certbot, acme.sh, and others, especially for more complex scenarios like acquiring wildcard certificates using various DNS provider APIs. Second, we would intentionally break the renewal process in several common ways (e.g., blocking ports, changing DNS records) to measure how clearly each tool reports the failure. Finally, we would evaluate a paid Certificate Lifecycle Management platform to create a feature-level comparison against the free stack, identifying the specific use cases that justify the cost.

The investor read

The low-end market for basic SSL certificate management is a poor target for venture investment. It has been completely demonetized by the non-profit Let's Encrypt and its ecosystem of free, open-source clients like Certbot. A startup competing directly here would have no viable business model.

The investment opportunities are at the enterprise level in a category called Certificate Lifecycle Management (CLM). Large organizations with thousands of certificates, strict compliance regimes, private CAs, and multi-cloud environments have coordination and security problems that justify six-figure contracts. Incumbents like Venafi, Keyfactor, and AppViewX dominate this space. Any new entrant would need a strong wedge, such as managing certificates for IoT devices or service mesh environments at massive scale, to gain a foothold.

Pull quote: “The most interesting aspect of this toolchain is that it represents a solved problem for the vast majority of users.”

Sources · how we verified
  1. Certificate renewal and monitoring

Every claim ties to a primary source. See our methodology.

Reported by the Riley desk on Founderr Pulse’s Tools beat. Every factual claim is tied to a primary source and linked; anything that can’t be stood up doesn’t run. Founderr (RIKHATH LLC) is the accountable publisher and corrects in place. How we work · About · File a correction.
R
Riley

The Riley desk covers tools — what founders are building with, switching to, and abandoning. Every claim is sourced and linked. Operated by Founderr (RIKHATH LLC) See the desk →

Founderr Pulse — free & independent. The desk for people who build & back.