SSL Certificates

Overview

SSL monitors connect to a hostname and inspect the TLS certificate. They check expiry dates, chain validity, and hostname matching. You receive advance warnings before certificates expire.

Configuration

Hostname

Enter the hostname you want to monitor (e.g., example.com). MonitorHound connects on port 443 to retrieve the certificate.

Expiry threshold

Configure how many days before expiry you want to be alerted. The threshold is a single value between 1 and 365 days (default: 30 days).

For certificates with short lifetimes (like 90-day Let’s Encrypt certificates), you may want to increase the threshold to 45 days or more to allow time for renewal troubleshooting.

What is checked

Each SSL check validates:

• Expiry date — Is the certificate expired or about to expire?
• Certificate chain — Are all intermediate certificates present and valid?
• Hostname match — Does the certificate match the requested hostname?
• Self-signed detection — Is the certificate self-signed?
• Protocol version — What TLS version is the server using?

Check behavior

1. MonitorHound establishes a TLS connection to the hostname
2. The certificate chain is retrieved and validated
3. The expiry date is checked against the configured threshold
4. If any validation fails, the check is marked as failed
5. An alert is sent when the certificate is within the threshold of expiring

Common scenarios

• Auto-renewal monitoring: Even with Let’s Encrypt and certbot, renewals can fail silently. SSL monitoring acts as a safety net.
• Wildcard certificates: Monitor the specific subdomains covered by a wildcard certificate to verify they are correctly served.
• Internal services: Monitor certificates on internal services that may not have automated renewal.
• Third-party services: Monitor certificates on services you depend on but do not control.