An expired SSL certificate is one of the most embarrassing outages there is: the site is up, the server is healthy, the code is fine — but every visitor hits a full-page browser warning telling them your site is unsafe. And it always seems to expire at 2am on a Saturday.
SSL certificate monitoring is the cheap insurance against it. Here's what it checks and how to set up expiry alerts.
Why certs still expire in the age of auto-renewal
"We use Let's Encrypt, it auto-renews" is exactly the team that gets caught. Auto-renewal fails quietly in a dozen ways:
- The renewal cron job stopped running (a perfect case for a dead man's switch).
- The ACME challenge (HTTP-01 / DNS-01) broke after a config change.
- A CDN, load balancer or proxy is serving an old cached certificate.
- A certificate was issued manually and nobody wired up renewal.
- Renewal succeeded on one server but not the others behind the LB.
What SSL monitoring checks
| Check | Why it matters |
|---|---|
| Days until expiry | The headline metric — alert at 30 / 14 / 7 / 1 days |
| Certificate chain | A missing intermediate breaks some clients even if the cert is valid |
| Hostname match | Cert must cover the exact domain (and www / subdomains) |
| Protocol & cipher | Outdated TLS versions get flagged by browsers and scanners |
| Revocation | A revoked cert is as broken as an expired one |
How to set it up
Point a monitor at your HTTPS URL and tell it how early to warn you. The key is the lead time: 7 days is too late if your renewal is broken and you need to debug an ACME challenge. Alert at 30 days so you have room, then again at 14 and 7.
You can also spot-check manually:
# days until your cert expires
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \
| openssl x509 -noout -enddateBut a one-off check doesn't help at 2am three months from now — you need continuous monitoring.
Don't stop at the certificate
An expired cert is one of several silent outages — alongside a dead cron job, an expired domain, or an endpoint quietly returning 500s. Nurbak Watch monitors SSL certificate expiry alongside uptime, endpoints and heartbeats, and alerts you via Slack, email and WhatsApp with enough lead time to actually fix it.