How to Set Up SSL Certificate Monitoring with Open Source Tools

Prerequisites for SSL Certificate Monitoring

Before you dive into setting up an SSL certificate monitoring tool, you need a few things in place. Honestly, most sysadmins skip the prep and end up debugging scripts at 2 AM. Don't be that person.

What You Need Before Starting

• A Linux server – Ubuntu 22.04+ or CentOS 8+ with root or sudo access. You'll be installing packages and editing system files.
• Basic command-line skills – If you can run cron jobs, edit config files in nano or vim, and pipe output to a file, you're good.
• A list of domains or IPs to monitor – At least one SSL/TLS certificate you control. Start with your own production domains. (Pro tip: test on a staging cert first so you don't accidentally trigger alerts on real traffic.)
• An email account or SMTP relay – You'll need this for those email notifications for SSL expiry we'll set up later.

Got all that? Good. Let's build your monitoring stack.

Step 1: Install Certbot for Certificate Expiry Checks

If you're already using Let's Encrypt (and honestly, who isn't these days?), Certbot is your best friend. It's not just for issuing certificates – it has built-in checks that can save your bacon.

Using Certbot's Built-in Monitoring

First, install Certbot via your package manager:

sudo apt install certbot   # Ubuntu/Debian
sudo yum install certbot   # CentOS/RHEL

Once installed, run this to see all your managed certificates and their expiry dates:

certbot certificates

You'll get output like Expiry Date: 2026-08-15 12:34:56+00:00. Handy, but it's a manual check. We need automation.

Set up a daily cron job to check expiry and log the results:

crontab -e
# Add this line:
0 6 * * * certbot renew --dry-run >> /var/log/certbot-check.log

This runs every morning at 6 AM. The --dry-run flag means it won't actually renew, just checks if renewal is needed. If something fails, you'll see it in the log. Simple, effective, and it catches SSL expiration check issues before they become emergencies.

Warning: Certbot only monitors certificates it issued. If you have certs from other CAs (like DigiCert or Sectigo), this step won't help. That's where Step 2 comes in.

Step 2: Deploy ssl-cert-check for Custom Domain Monitoring

Certbot is great, but it's limited. For SSL certificate health check across all your domains – including those not managed by Let's Encrypt – you need a more flexible tool. Enter ssl-cert-check, a lightweight bash script that checks any SSL certificate on any port.

Automating Checks for Non-Certbot Certificates

Download it directly from GitHub:

wget https://github.com/Matty9191/ssl-cert-check/raw/master/ssl-cert-check

Make it executable:

chmod +x ssl-cert-check

Now test it against a domain:

./ssl-cert-check -s example.com -p 443 -x 30

The -x 30 flag tells it to alert if the certificate expires within 30 days. You can adjust this to 14, 7, or even 60 days depending on your renewal policy. The script outputs a clean table with hostname, port, expiry date, and days remaining.

Pro tip: Create a list of all your domains in a text file, then loop through them:

for domain in $(cat domains.txt); do
  ./ssl-cert-check -s $domain -p 443 -x 30
done

This script is the backbone of your open-source monitoring. It's simple, reliable, and doesn't require a database or web server. Pure bash magic.

Step 3: Integrate with Nagios or Zabbix for Alerting

Running scripts manually is fine for a handful of domains. But when you're managing 20, 50, or 200 certificates, you need a proper monitoring system. Nagios and Zabbix are the old guard, and for good reason – they're battle-tested.

Centralized Monitoring and Notifications

Install the Nagios SSL check plugin:

sudo apt install nagios-plugins-contrib   # Ubuntu/Debian

Then define a command in your Nagios configuration:

define command {
  command_name    check_ssl_cert
  command_line    /usr/lib/nagios/plugins/check_ssl_cert -H $HOSTADDRESS$
}

Create a service definition for each host with an SSL certificate. Nagios will check the certificate on every monitoring cycle and alert if it's about to expire or if there's a validation error.

For Zabbix users, it's even easier. Zabbix has a built-in web certificate monitoring template. Just assign it to your hosts, set a trigger for expiry within 30 days, and configure an action to send email notifications. Zabbix also supports real-time SSL monitoring dashboards, which is great for visual teams.

Note: Both Nagios and Zabbix require some upfront config time. But once they're running, they'll check every certificate on every host automatically. No more manual openssl s_client commands at 3 AM.

Step 4: Set Up a Cron Job for Daily Email Reports

Not everyone has Nagios or Zabbix. If you're a small team or a solo admin, a simple bash script with cron is your best bet. It's low-maintenance and gets the job done.

Simple Bash Script for Notification

Create the script:

nano /usr/local/bin/ssl-monitor.sh

Paste this content (adjust paths and email as needed):

#!/bin/bash
EMAIL="[email protected]"
LOGFILE="/var/log/ssl-monitor.log"
DOMAINS="/etc/ssl-monitor/domains.txt"

echo "SSL Certificate Expiry Report - $(date)" > $LOGFILE
echo "========================================" >> $LOGFILE

for domain in $(cat $DOMAINS); do
  /usr/local/bin/ssl-cert-check -s $domain -p 443 -x 30 >> $LOGFILE
done

# Send the report via email
cat $LOGFILE | mail -s "SSL Certificate Expiry Report" $EMAIL

Make it executable:

chmod +x /usr/local/bin/ssl-monitor.sh

Now add it to cron:

crontab -e
# Run every morning at 7 AM:
0 7 * * * /usr/local/bin/ssl-monitor.sh

Test it manually first:

sudo /usr/local/bin/ssl-monitor.sh

Check your inbox. If you see the report, you're golden. If not, check your mail system – common culprits are missing mailutils (install with sudo apt install mailutils) or a misconfigured SMTP relay.

This gives you daily email notifications for SSL expiry without any third-party services. Simple, free, and effective.

Step 5: Enhance with crtmgr.com for Advanced Monitoring

Open source tools are fantastic – I've used them for years. But they have limits. When you're managing certificates across multiple teams, cloud providers, and environments, the bash scripts start to feel... fragile.

When Open Source Needs a Boost

That's where crtmgr.com comes in. It's a cloud-based SSL certificate monitoring tool that does everything our open-source stack does – and then some. Here's what it adds:

• Instant alerts via Slack, email, webhooks, and PagerDuty. No cron jobs, no mail config headaches.
• Multi-domain management without scripting. Add 10 or 100 domains in seconds through a web dashboard.
• Real-time SSL monitoring dashboards with expiry timelines, certificate details, and health scores.
• Team collaboration – assign certificates to different team members, set role-based access, and share reports.

I'm not saying abandon your open-source setup. Far from it. Use crtmgr.com alongside your existing tools for redundancy. If your Nagios server goes down, crtmgr.com still has your back. If your bash script fails because someone changed a domain name, crtmgr.com catches it.

For teams managing more than 10 certificates, the time savings alone justify the switch. No more SSHing into servers to debug cron jobs. No more "oh crap, that cert expired over the weekend" moments.

Summary and Next Steps

Let's recap the full setup:

1. Install Certbot – for Let's Encrypt certificates and basic expiry checks via cron.
2. Deploy ssl-cert-check – for monitoring all other certificates, including non-Let's Encrypt CAs.
3. Integrate with Nagios or Zabbix – for centralized, automated alerting across your infrastructure.
4. Set up a cron email report – for a simple, no-fuss daily notification.
5. Enhance with crtmgr.com – for advanced features, team management, and redundancy.

Keeping Your SSL Monitoring Running Smoothly

A few final tips from someone who's been burned by expired certificates:

• Test your alerts regularly. Set up a test certificate that expires in 7 days and verify your monitoring tools catch it. Do this monthly.
• Review logs weekly. A cron job that silently fails is worse than no monitoring at all. Check /var/log/ssl-monitor.log and your Nagios/Zabbix alerts every Monday morning.
• Consider upgrading to a dedicated tool like crtmgr.com if managing SSL expiry becomes time-consuming. When you're spending more time maintaining the monitoring scripts than actually monitoring, it's a sign you've outgrown open source.

SSL certificates are the backbone of trust on the internet. One expired cert can cost you thousands in lost revenue and damaged reputation. With this setup – open source tools backed by crtmgr.com – you'll never miss an expiry again.