All articles

How to Monitor SSL Certificate Expiration

SSL certificate renewal can fail silently. When one expires, browsers can block users before they ever reach your website. The fix is usually simple, but the impact is immediate and public.

Why SSL monitoring matters

Tools like Let's Encrypt automate certificate renewal, but automation is not the same as verification. Renewals can fail, certificates may not deploy correctly, and proxies or CDNs may continue serving an old certificate.

On June 4, 2025, Let's Encrypt stopped sending email alerts that a certificate will expire. That means teams no longer receive passive warnings and must actively monitor certificate status.

Method 1: Check SSL expiration from the command line

You can check a certificate’s expiration date directly using OpenSSL. This works on Linux and macOS.

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

This returns the certificate validity window:

notBefore=Jan  1 00:00:00 2026 GMT
notAfter=Mar 31 23:59:59 2026 GMT

The "notAfter" value is the expiration date. This check reflects what users actually receive over HTTPS, not just what exists on your server.

Method 2: Or use curl for quick validation

For a fast check during debugging, curl will fail if the certificate is invalid:

curl -v https://example.com

If there is a certificate issue, curl will display it. This is useful for confirming problems, but not for proactive monitoring.

Common failure scenarios

  • Auto-renewal failed silently
  • Certificate renewed but not deployed
  • Load balancer or CDN still serving old cert
  • Wrong hostname or missing SAN entry
  • Alerts sent to an unmonitored inbox

What good SSL monitoring looks like

  • External checks
  • Multiple warning thresholds (30, 14, 7, 3 days)
  • Coverage of all domains and subdomains
  • Alerts routed to a real owner

DIY monitoring isn't for everyone

Command-line checks require maintenance. Scripts break, cron jobs go forgotten, and alerts can get lost. As your number of domains grows, the overhead increases quickly.

A simpler approach

Instead of maintaining scripts, many teams use external monitoring like ServerVisor that continuously checks SSL certificates and sends alerts before expiration.

They don't just assume renewal works, they verify and remove the risk of silent failures.

SSL expiration is a preventable outage and easy to fix if notified early. The only requirement is noticing it in time.

ServerVisor Team

Final takeaway

Monitoring SSL expiration isn't complicated, but it's important. Whether you use scripts or a monitoring service, the goal is the same: verify from the outside, warn early, and don't let expiration surprise you.

Want to learn more?
Browse all our guides and articles.
View plans