SSL certificate expiry monitoring setup

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

SSL certificate expiry monitoring setup

Simple

~1 business day

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

Setting Up SSL Certificate Monitoring (Expiry Date)

Expired SSL certificate makes site inaccessible to all users. Browsers show warning page, SEO rankings drop, user trust lost. Certificate expiry monitoring is one of simplest tasks with high impact on availability.

What to Monitor

Main domain certificate expiry
Subdomain certificates (each separately — wildcard *.example.com not always used)
Intermediate certificates in chain (CA chain)
Internal service certificates (API, internal domains)

Prometheus Blackbox Exporter

# blackbox.yml
modules:
  https_check:
    prober: http
    timeout: 15s
    http:
      valid_status_codes: []  # Any status — check only SSL
      method: HEAD
      tls_config:
        insecure_skip_verify: false
      fail_if_ssl: false
      fail_if_not_ssl: true

# prometheus.yml scrape config
scrape_configs:
  - job_name: 'ssl_certificate_check'
    metrics_path: /probe
    params:
      module: [https_check]
    static_configs:
      - targets:
          - https://example.com
          - https://api.example.com
          - https://admin.example.com
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: blackbox-exporter:9115

Metric probe_ssl_earliest_cert_expiry contains certificate expiry timestamp.

Prometheus alert:

- alert: SSLCertificateExpiringSoon
  expr: probe_ssl_earliest_cert_expiry - time() < 30 * 24 * 3600
  labels:
    severity: warning
  annotations:
    summary: "SSL cert on {{ $labels.instance }} expires in {{ $value | humanizeDuration }}"

- alert: SSLCertificateExpiryCritical
  expr: probe_ssl_earliest_cert_expiry - time() < 7 * 24 * 3600
  labels:
    severity: critical
  annotations:
    summary: "SSL cert on {{ $labels.instance }} expires in {{ $value | humanizeDuration }}!"

Python Script for Monitoring

import ssl
import socket
from datetime import datetime, timezone

def check_ssl_expiry(hostname: str, port: int = 443) -> dict:
    context = ssl.create_default_context()

    with socket.create_connection((hostname, port), timeout=10) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            cert = ssock.getpeercert()

    expiry_str = cert['notAfter']
    expiry_date = datetime.strptime(expiry_str, '%b %d %H:%M:%S %Y %Z')
    expiry_date = expiry_date.replace(tzinfo=timezone.utc)

    days_remaining = (expiry_date - datetime.now(timezone.utc)).days

    return {
        'hostname': hostname,
        'expires_at': expiry_date.isoformat(),
        'days_remaining': days_remaining,
        'issuer': dict(x[0] for x in cert['issuer']),
        'subject': dict(x[0] for x in cert['subject'])
    }

Automatic Renewal with Let's Encrypt

If using Let's Encrypt + Certbot or ACME client, manual renewal not needed. But monitoring still necessary — automation sometimes breaks.

# Check certbot timer status
systemctl status certbot.timer

# Test run without actual update
certbot renew --dry-run

Certbot renews certificates when < 30 days remain. Monitoring triggers at < 30 days = automation didn't work in time.

Uptime Robot / Better Uptime

Fastest option — external SSL monitoring services:

Uptime Robot (free plan): SSL expiry check, notification at 30/7/1 day
Better Uptime, StatusCake: similar

Setup: 5 minutes. Complements Prometheus monitoring.