Monitoring SSL Certificate Expiration

By Admin · Feb 25, 2026 · Updated Apr 23, 2026 · 117 views · 2 min read

Why Monitor Certificates?

Expired SSL certificates break your website for visitors and damage trust. Even with auto-renewal tools like Certbot, failures can happen silently.

Check Certificate Expiry from Command Line

# Check remote certificate
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# More readable
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate

Automated Monitoring Script

#!/bin/bash
DOMAINS="example.com api.example.com admin.example.com"
WARN_DAYS=14

for DOMAIN in $DOMAINS; do
    EXPIRY=$(echo | openssl s_client -servername "$DOMAIN" -connect "$DOMAIN:443" 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
    EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
    NOW_EPOCH=$(date +%s)
    DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))

    if [ "$DAYS_LEFT" -lt "$WARN_DAYS" ]; then
        echo "WARNING: $DOMAIN expires in $DAYS_LEFT days ($EXPIRY)" | mail -s "SSL Certificate Expiring" admin@example.com
    fi
done

chmod +x /usr/local/bin/check-ssl.sh
# Run daily
echo "0 8 * * * root /usr/local/bin/check-ssl.sh" >> /etc/crontab

Using Uptime Kuma

Add each domain as an HTTPS monitor. Uptime Kuma automatically checks certificate validity and alerts when expiry is approaching.

Certbot Renewal Check

# Test if auto-renewal works
sudo certbot renew --dry-run

# Check renewal timer
systemctl list-timers | grep certbot