TLS/SSL Certificate Monitor
Track SSL/TLS certificate expiration dates and validity. Get alerts before certificates expire to avoid downtime.
What is a TLS Monitor?
A TLS Monitor connects to an HTTPS endpoint, retrieves the SSL/TLS certificate, and validates its expiration date, chain, and issuer.
Why Monitor Certificates?
Expired certificates cause:
- Browser warnings: Users see security errors
- API failures: Clients reject connections
- SEO penalties: Search engines downrank insecure sites
- Data exposure: Fallback to unencrypted HTTP
Configuration Options
Basic Configuration
| Field | Description | Example |
|---|---|---|
| Name | Human-readable identifier | Production SSL Certificate |
| Domain | HTTPS endpoint | https://api.example.com |
| Days Before Expiry | Alert threshold | 30 (alert 30 days before expiry) |
| Validate Chain | Check full cert chain | true (recommended) |
| Interval | Check frequency | 1h, 6h, 24h |
| Timeout | Max wait time | 10s, 30s |
Configuration Examples
Basic Certificate Monitoring
{
"type": "tls",
"name": "Production SSL",
"domain": "https://api.example.com",
"daysBeforeExpiry": 30,
"validateChain": true,
"interval": 86400000
}Strict Certificate Validation
{
"type": "tls",
"name": "Payment Gateway SSL",
"domain": "https://payments.example.com",
"daysBeforeExpiry": 60,
"validateChain": true,
"checkRevocation": true,
"interval": 21600000
}Multiple Domains
// Create separate monitors for each domain
{
"type": "tls",
"name": "Main Site SSL",
"domain": "https://example.com"
},
{
"type": "tls",
"name": "API SSL",
"domain": "https://api.example.com"
},
{
"type": "tls",
"name": "CDN SSL",
"domain": "https://cdn.example.com"
}Check Results
Certificate Information
Each check provides:
- Issuer: Certificate authority (e.g., Let's Encrypt, DigiCert)
- Subject: Domain name
- Valid From: Start date
- Valid Until: Expiration date
- Days Remaining: Time until expiry
- Algorithm: Signature algorithm (RSA, ECDSA)
- Key Size: 2048-bit, 4096-bit, etc.
- SANs: Subject Alternative Names (wildcard, multiple domains)
Example Output
{
"status": "valid",
"issuer": "Let's Encrypt",
"subject": "*.example.com",
"validFrom": "2026-01-01T00:00:00Z",
"validUntil": "2026-04-01T00:00:00Z",
"daysRemaining": 45,
"algorithm": "RSA",
"keySize": 2048,
"sans": ["example.com", "*.example.com"]
}Alert Conditions
1. Certificate Expiring Soon
Days remaining < threshold. Example:
{
"daysRemaining": 25,
"threshold": 30,
"alert": "Certificate expires in 25 days"
}2. Certificate Expired
Current date > valid until date.
3. Invalid Certificate Chain
Certificate chain cannot be validated:
- Self-signed certificate
- Untrusted root CA
- Missing intermediate certificates
4. Certificate Revoked
Certificate appears on CRL (Certificate Revocation List) or OCSP indicates revoked.
Best Practices
1. Set 30-Day Alert Threshold
Alert 30 days before expiry to allow time for:
- Certificate renewal
- DNS propagation
- Testing in staging
- Deployment to production
2. Monitor All Domains
Don't forget:
- Main domain (example.com)
- WWW subdomain (www.example.com)
- API subdomains (api.example.com)
- CDN domains (cdn.example.com)
- Admin panels (admin.example.com)
3. Check Daily
Certificates rarely change. Check once per day:
- Reduces unnecessary API calls
- Still catches issues with 30-day lead time
- Detects unexpected renewals
4. Validate Full Chain
Always enable validateChain: true to catch:
- Missing intermediate certificates
- Untrusted root CAs
- Chain ordering issues
5. Use Automated Renewal
Combine monitoring with automated renewal:
- Let's Encrypt: Certbot auto-renewal every 60 days
- AWS Certificate Manager: Automatic renewal
- Cloudflare: Managed SSL certificates
Common Certificate Lifetimes
| Provider | Validity | Auto-Renew |
|---|---|---|
| Let's Encrypt | 90 days | ✅ Yes (Certbot) |
| DigiCert | 1-2 years | ❌ Manual |
| AWS ACM | 13 months | ✅ Yes (automatic) |
| Cloudflare | 15 years | ✅ Yes (automatic) |
| ZeroSSL | 90 days | ✅ Yes (ACME) |
Troubleshooting
Certificate Expiring But Auto-Renewal Failed
Possible Causes:
- Certbot not running
- DNS challenge failed
- Port 80/443 blocked
- Rate limits exceeded
Solution:
# Test certbot renewal
sudo certbot renew --dry-run
# Check certbot logs
sudo cat /var/log/letsencrypt/letsencrypt.log
# Manual renewal
sudo certbot renew --force-renewalInvalid Certificate Chain
Cause: Missing intermediate certificates.
Solution:
# Verify chain manually
openssl s_client -connect example.com:443 -showcerts
# Use SSL Labs for detailed analysis
# https://www.ssllabs.com/ssltest/Self-Signed Certificate Warning
Cause: Using self-signed cert in production.
Solution:
- Use Let's Encrypt for free trusted certificates
- Or purchase from DigiCert/Sectigo
- Don't use self-signed in production
Certificate Types
Domain Validated (DV)
- Validation: Domain ownership only
- Issuance Time: Minutes
- Use Case: Most websites, APIs
- Examples: Let's Encrypt, ZeroSSL
Organization Validated (OV)
- Validation: Domain + organization identity
- Issuance Time: 1-3 days
- Use Case: Corporate websites
- Examples: DigiCert OV, Sectigo OV
Extended Validation (EV)
- Validation: Strict organization verification
- Issuance Time: 1-2 weeks
- Use Case: E-commerce, banking (legacy)
- Examples: DigiCert EV
Wildcard
- Coverage:
*.example.com(all subdomains) - Use Case: Multiple subdomains
- Note: Doesn't cover
example.comitself
Manual Certificate Check
Using OpenSSL
# Check expiration date
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Check full certificate details
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -text
# Check certificate chain
openssl s_client -connect example.com:443 -showcertsUsing curl
# Verbose TLS info
curl -vI https://example.com 2>&1 | grep -i 'expire'Next Steps
- HTTP Monitor: Monitor web endpoints
- TCP Monitor: Monitor ports
- Configure Alert Rules for certificate expiration
- Best Practices for effective monitoring