SSL certificate expiry monitoring with 30/14/7-day alerts
FourSight's SSL monitor checks your certificate on every check cycle and alerts you 30, 14, and 7 days before expiry by default (thresholds are fully configurable). It also detects host mismatches — a valid certificate served for the wrong domain — and chain problems, via email, Slack, webhook, or SMS.
An expired SSL certificate is the most preventable outage in production. Browsers show a full-page security warning, API clients hard-fail the TLS handshake, mobile apps error out — and to every user it looks like your service is broken or compromised. It happens to teams of every size, and it almost always happens for the same reason: everyone assumed renewal was automated, and nobody was watching whether the automation actually worked.
SSL monitoring is the safety net under that automation. FourSight connects to your endpoint, inspects the certificate actually being served, and counts down the days — alerting on a schedule that gives you time to fix a broken renewal calmly rather than during an outage.
Why do certificates still expire if renewal is automated?
Because automation fails silently. An ACME client gets stuck on a rate limit; a DNS-01 challenge breaks after a nameserver migration; a firewall change blocks the HTTP-01 validation path; the renewal cron job itself dies (see cron job monitoring); or the cert renews on the origin but a load balancer, CDN edge, or legacy appliance keeps serving the old one. In every one of those cases the renewal system believes it succeeded — or doesn't run at all — and no error ever reaches a human.
Monitoring from the outside sidesteps the entire question of why. FourSight doesn't inspect your renewal tooling; it inspects the certificate your users actually receive during a real TLS handshake. If that certificate is 29 days from expiry, you get an alert — regardless of what certbot's logs claim.
Why can't I rely on registrar and CA reminder emails?
Reminder emails are addressed to whoever created the certificate, which after a couple of years is frequently a departed employee, a defunct distribution list, or an agency that no longer holds the contract. They land in inboxes nobody checks, get swept into spam, or arrive at the parked address behind a WHOIS privacy service.
The bigger structural problem: the industry is moving away from reminder emails entirely. Let's Encrypt — which issues the majority of certificates on the web — ended its expiration notification emails in 2025, explicitly telling users to rely on monitoring instead. Meanwhile certificate lifetimes keep shrinking (the CA/Browser Forum has adopted a schedule that pushes maximum validity down dramatically over the next few years), which means more renewals, more often, with more chances for the automation to break. An email that might reach the right person is not a control; an alert wired into your on-call escalation policy is.
What does FourSight's SSL monitor actually check?
Each check performs a real TLS handshake against your endpoint from FourSight's probe network and records the certificate evidence — issuer, subject, SANs, and the exact expiry timestamp — so every alert comes with the data to act on.
| Check | What it catches | Default |
|---|---|---|
| Expiry countdown | Certificate approaching its notAfter date | Alerts at 30, 14, and 7 days (configurable) |
| Host mismatch | Valid certificate served for the wrong hostname (SAN doesn't cover the domain) | Enabled |
| Chain validity | Missing or broken intermediate certificates that fail strict clients | Checked on every cycle |
| Handshake failure | Endpoint no longer completing TLS at all | Incident opened via quorum |
What is host-mismatch detection and why does it matter?
A certificate can be perfectly valid — trusted chain, months of life left — and still break your site, because it's the wrong certificate. This happens constantly in practice: a CDN or load balancer falls back to its default certificate after a configuration change, a wildcard cert gets deployed to a domain it doesn't cover, or a migration points traffic at a server still serving another tenant's cert. Browsers treat all of these as hard security failures.
Expiry-only checkers miss this class of outage completely. FourSight verifies on every check that the certificate's subject alternative names actually cover the hostname being monitored, so a mismatch pages you the same way an expiry would — usually within one check cycle of the misconfiguration going live.
Do I need a separate SSL monitoring tool?
Single-purpose SSL trackers exist, and some are free. The problem is fragmentation: SSL expiry is one of at least eight things that can silently take a production service down, next to DNS drift, domain expiry, dead cron jobs, and plain HTTP outages. Each standalone tool is another dashboard, another alert channel to configure, another account that lapses when its owner leaves.
FourSight's Growth plan bundles SSL monitoring with all eight check types — HTTP, keyword, DNS, domain expiry, ping, port, and heartbeat — under one escalation policy and one status page, at $40/mo flat for 100 monitors. Monitor every certificate you own, including internal and staging endpoints, without counting seats or paying per check.
Included in Growth — $40/mo flat
Never get surprised by an expired certificate again
SSL monitoring is included in the Growth plan with all eight check types, 30-second intervals, 4-region validation, and escalation policies — flat pricing, no per-certificate fees.
- Alerts at 30, 14, and 7 days before expiry — thresholds configurable per monitor
- Host-mismatch and chain validation on every check
- Certificate evidence (issuer, SANs, expiry) attached to every alert
- Email, Slack, webhook alerts — SMS on Pro and above
FAQ
Common questions
How often does FourSight check my SSL certificate?
On your monitor's regular check interval — down to 30 seconds on Growth and Pro, 15 seconds on Scale. Expiry alerts fire once per configured threshold (30/14/7 days by default), so you get three clear warnings rather than a daily drumbeat.
Can I change the 30/14/7-day thresholds?
Yes. The warn days are configurable per monitor — teams with short-lived certificates often use something like 14/7/3, while enterprises with manual procurement set 60/30/14 to cover purchasing lead time.
Does FourSight detect certificates that are valid but for the wrong domain?
Yes — host-mismatch detection is on by default. If the certificate served during the handshake doesn't cover the monitored hostname in its SANs, FourSight raises an alert even though the certificate itself is technically valid.
Can I monitor internal or non-standard-port services?
Any endpoint FourSight's probes can reach over TLS can be monitored, including non-443 ports. For services behind a firewall, allow FourSight's probe regions or monitor the public-facing edge that terminates TLS for real users.
What about Let's Encrypt certificates that renew every 60–90 days?
They're the strongest case for monitoring: more frequent renewals mean more opportunities for silent failure, and Let's Encrypt stopped sending expiry notification emails in 2025. A 30-day warning on a 90-day certificate means your renewal automation gets flagged roughly two weeks after it breaks.
Keep reading
Related guides, terms & comparisons
More check types
Explore FourSight's other monitors
Start monitoring in under 60 seconds
No credit card required. 10 free monitors with 4-region consensus — commercial use allowed.