How to Keep Track of Certificate Expiration?

Normally it “just works” but one of my sites just didn’t renew and the site was “down” :frowning:

You mean SSL cert? HetrixTools have this feature included :slight_smile:


LetsEncrypt send’s your emails, besides you can automate that, if it works at the end.
Otherwise, needs external monitoring such as Hetrixtools but you can surely run a script on your linux box which sends you a email when expired.

Maybe github a bit, sure someone already wrote such.

Wait for someone to complain that the certificate has expired. It works and it’s reliable.


The thing is, you want to know before it happens, not after.
But yes, using other humans as notification, has been proved all along.

Only drawback is, its delayed, human nature.

1 Like

This is interesting:

1 Like

Hehe… site run by my dutch pal Remi

Great little service, most use certbot to renew but nice to have an idea if there expiring.

I’ve never gotten a renewal email from letsencrypt and didn’t know that letsecrypt ever sends them. It surprises me slightly. Certbot is supposed to do it, but if you need some kind of backup and you don’t want to use a calendar reminder or cron task, you could put something into your normal site monitoring that alerts you if a certificate is about to expire. I think certbot won’t renew a certificate with more than 1 month remaining. So if your certbot renewal is set for 65 days you could have your monitoring alert you after 70 days, giving you reasonable time to straighten things out if something has gone wrong with your certbot setup.

I’m skeptical of the idea of relying on yet another external service to monitor this. Just make it part of your normal monitoring.

Are you referring to certifcatemonitor? It’s a selfhosted app (the dev runs a free instance/sample site) does it as well and generally won’t attempt to renew a cert if there’s more than 1 month to go.

Personally, and regardless of external/integrated tools, I check domain expiration the second week of every odd month (I don’t have a gazillion of domains to check, anyway it’s a simple script); every domain I check is set to renew within the first week of that month.
It’s nice anyway to have such check integrated in your existing monitoring tool, just as an additional memo

Unless no ppl visit your site

1 Like

That’s the most secure site possible.


statuscake can let you know when you have a subscription with them

1 Like

If you are using good old Nagios to monitor ‘everything’, check_ssl_cert can do this job for you.

2 Likes works fine for me

it’s open source too - GitHub - chrisDeFouRire/sslping-cli: bulk import/export for

1 Like

A real simple way to do so is to just store your local certhash for your zones:

$ openssl s_client -servername -connect > hostballs.cert < /dev/null 2 > /dev/null
$ openssl x509 -noout -dates < hostballs.cert
notBefore=Oct  5 23:15:16 2019 GMT
notAfter=Jan  3 23:15:16 2020 GMT

Then, just take that data, convert to time_t, and compare/update yourself. It’s like 20 lines of PHP.

E: You’ll probably only want -enddate, but you also don’t want to renew before systime.