Fix: SSL Certificate Expiry Monitoring Setup
The standard 30-day alert is too late — your renewal pipeline may have been broken for months before you find out. Monitor at 200 days.
Weekly SSL check cron job
#!/bin/bash
# /usr/local/bin/check-ssl.sh
DOMAINS=("yourdomain.com" "api.yourdomain.com")
ALERT_DAYS=200
EMAIL="you@yourdomain.com"
for domain in "${DOMAINS[@]}"; do
expiry=$(openssl s_client -connect "$domain:443" $
-servername "$domain" 2>/dev/null | $
openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
expiry_epoch=$(date -d "$expiry" +%s 2>/dev/null)
days_left=$(( (expiry_epoch - $(date +%s)) / 86400 ))
if [ "$days_left" -lt "$ALERT_DAYS" ]; then
echo "$domain: $days_left days left" | $
mail -s "SSL warning: $domain" "$EMAIL"
fi
done# Add to crontab: 0 9 * * 1 flock -n /tmp/ssl-check.lock /usr/local/bin/check-ssl.sh
Check multiple domains at once with the SSL Checker — 200-day warnings included.
Open Tool →