Nothing kills user trust faster than a big red "Not Secure" warning in the browser address bar. Yet SSL certificate expiry remains one of the most common causes of preventable downtime for small teams and indie developers.
The irony? It's completely preventable with proper SSL certificate monitoring. Here's how to set it up properly.
The Real Cost of Expired SSL Certificates
When your SSL certificate expires, the consequences cascade quickly:
- Browser warnings scare away users (up to 90% will leave)
- API calls fail from your own services
- Search rankings drop (Google penalizes insecure sites)
- Payment processing stops if you run e-commerce
- Trust is damaged — users remember security warnings
Why Certificates Expire Unexpectedly
SSL certificates have expiration dates for security reasons. But several things can go wrong:
1. Auto-Renewal Failures
Let's Encrypt and other ACME-based certificates typically auto-renew, but the renewal process can fail silently due to:
- DNS changes that break ACME challenges
- Firewall rules blocking the renewal process
- Cron jobs that stopped running
- Disk space issues preventing certificate storage
2. Manual Certificate Management
If you're manually managing certificates (especially paid ones), it's easy to forget renewal dates — particularly for side projects or less-critical services.
3. Multi-Server Environments
You might have auto-renewal working on your main server, but what about your staging environment, backup server, or that one-off instance you set up 8 months ago?
How SSL Certificate Monitoring Works
SSL monitoring checks your certificate's validity by:
- Connecting to your server over HTTPS
- Extracting certificate details (issuer, expiry date, chain)
- Calculating days until expiration
- Alerting you when certificates are approaching expiry
The key is getting alerts before the certificate expires, not after.
What to Monitor for SSL Certificates
Primary Checks
- Days until expiration — Alert at 30, 14, and 7 days
- Certificate validity — Is the cert properly signed and not revoked?
- Hostname match — Does the cert cover the domain being accessed?
Secondary Checks
- Certificate chain — Are intermediate certs properly configured?
- Protocol versions — Is TLS 1.0/1.1 disabled?
- Cipher suites — Are weak ciphers rejected?
Setting Up SSL Monitoring
Option 1: Dedicated Monitoring Service
Services like OpsPulse include SSL certificate monitoring as part of their uptime checks. This is the easiest approach — set it and forget it.
Benefits:
- Alerts delivered to Telegram, email, or Slack
- Multiple reminder thresholds (30/14/7 days)
- Combined with uptime monitoring
- No server configuration needed
Option 2: Self-Hosted Monitoring
If you prefer to run your own monitoring, here's a simple approach:
#!/bin/bash
# Simple SSL expiry check
DOMAIN="yourdomain.com"
DAYS_THRESHOLD=30
EXPIRY=$(echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))
if [ $DAYS_LEFT -lt $DAYS_THRESHOLD ]; then
echo "WARNING: $DOMAIN certificate expires in $DAYS_LEFT days"
# Add your alert mechanism here
fiRun this daily via cron, but remember: self-hosted monitoring on the same server as your site won't alert you if that server goes down.
Option 3: Certificate Transparency Logs
For advanced setups, monitor Certificate Transparency logs to get notified when new certificates are issued for your domains — useful for detecting unauthorized certificate issuance.
Best Practices for SSL Certificate Management
1. Use Multiple Alert Thresholds
Don't rely on a single alert. Set reminders at:
- 30 days — Early warning, plenty of time to fix
- 14 days — Action needed soon
- 7 days — Urgent, fix immediately
- 1 day — Emergency alert
2. Monitor Certificate Renewal Itself
If you use Let's Encrypt with certbot, monitor the renewal process:
# Add to your cron monitoring
0 0 * * * certbot renew --dry-run && echo "Renewal OK" || echo "Renewal FAILED"3. Document Your Certificate Inventory
Keep a list of all certificates across your infrastructure:
- Main domain certificate
- Wildcard certificates
- API subdomain certificates
- Internal service certificates
- Third-party service certificates (CDN, email)
4. Test After Renewal
When a certificate auto-renews, verify it worked:
- Check the new expiry date
- Verify the certificate chain
- Test from multiple locations
- Confirm browsers show the new cert
Common SSL Monitoring Mistakes
Mistake 1: Only Monitoring the Root Domain
Your example.com cert might be fine, but what about api.example.com or staging.example.com? Monitor all HTTPS endpoints.
Mistake 2: Alerting Only Once
A single alert at 30 days is easily forgotten. Use escalating reminders as the deadline approaches.
Mistake 3: Not Testing Alert Delivery
Your monitoring is useless if alerts go to a dead email address or a muted Slack channel. Test your alert delivery regularly.
Mistake 4: Ignoring Intermediate Certificates
Even if your leaf certificate is valid, an expired intermediate certificate can break the chain and cause browser errors.
The OpsPulse Approach
At OpsPulse, we include SSL certificate monitoring with every uptime check. When you add a monitor, we automatically:
- Track certificate expiration dates
- Send alerts at 30, 14, and 7 days before expiry
- Verify certificate chain validity
- Alert on hostname mismatches
- Deliver notifications via Telegram
No separate configuration needed — it's built into every HTTPS monitor.
Stop Worrying About Certificate Expiry
Set up SSL certificate monitoring in 2 minutes. Get alerts before your certificates expire, not after.
Start Free Monitoring →Summary
SSL certificate expiry is a preventable problem that can seriously damage your business. The solution is straightforward:
- Monitor all certificates — not just your main domain
- Use multiple alert thresholds — 30/14/7/1 days
- Test your alerting — make sure notifications reach you
- Verify renewals work — don't assume auto-renewal is flawless
With proper SSL monitoring in place, you'll never be caught off guard by an expired certificate again.