Why Monitor SSL Expiry at 200 Days — Not 30
Let's Encrypt certificates expire every 90 days and are designed to renew at 60 days remaining. If renewal breaks on the day of issuance, you have 89 days of silent failure before a 30-day alert fires. That's nearly three months of broken renewal you don't know about.
The 200-day math
A brand new Let's Encrypt cert has 90 days. A cert expiring in under 200 days means either: (a) it's a short-validity cert that was intentionally issued short, or (b) renewal has already failed and the cert is counting down. Either case warrants investigation immediately — not when 30 days remain.
200-day check in bash
DAYS_LEFT=$(( ($(date -d "$(openssl s_client -connect $ domain.com:443 2>/dev/null | openssl x509 -noout -enddate $ | cut -d= -f2)" +%s) - $(date +%s)) / 86400 )) [ "$DAYS_LEFT" -lt 200 ] && echo "WARNING: $DAYS_LEFT days left"
The SSL Checker flags certs expiring within 200 days across all your domains.
Open Tool →