[jrockway]

I have no memory of when this was but it was on the order of 9 months to a year ago.

"up to 60 days before" includes "five minutes after". What it excludes is the renewal starting 61 days before the cert expires, and, as documented, it sure didn't do that.

Stuff went wrong and we had no observability. That is the AWS way.

[sciurus]

Not to be mean, but you definitely had observability into the expiration date of your certificate. You just weren't monitoring it yet. What you are doing now with Prometheus sounds good.

[toast0]

If you need to figure out for yourself what to monitor about the service, including things AWS says it handles, it brings into question the value of the service.