🔭 Want to get alerted when your SSL certificate expires?
Go to Better Uptime and start with SSL monitoring in 2 minutes.
SSL certificate monitoring is an automated way of checking whether an SSL certificate is valid and when it expires. When a website's SSL certificate becomes invalid or close to the expiration date, the SSL monitoring spots the issue and alerts the right person on the development team.
Go to Better Uptime and start with SSL monitoring in 2 minutes.
The SSL certificate monitoring process works by sending
automated HTTP requests
at a pre-defined frequency to the desired URL and checking the validity of its
HTTP GET requests are usually used as they get the entire
website. The pre-defined frequency depends on the specific user need but
generally ranges from 30 seconds for business websites up to 10 or more minutes
for hobby projects.
The desired response from the monitored URL is that the SSL certificate is valid. If a valid certificate is received, no further action is taken, and the monitoring continues. However, when an invalid certificate is returned, the monitor starts what is called an SSL certificate incident and starts alerting according to the on-call calendar.
Since the expiration date is also monitored, when the expiration date crosses a set threshold (usually 7 or 3 days), an alert is triggered, and an incident is created.
As with any form of authentication, SSL certificates need to expire so they can be periodically re-validated and security is maintained. The main reasons for SSL expiry are:
The main reason for the expiration of SSL certificates is the server authentication use-case. The certificate lifecycle needs to be kept limited to provide a reasonable guarantee that the owner of the SSL certificate actually has control over the domain.
Since domains and businesses change hands all the time the certificates must reflect that, and by expiring, they force new owners to get new certificates. If they didn't, someone could purchase a domain together with a certificate and impersonate an old operator of the domain.
The other reason for expiration dates is to facilitate improving security standards. By limiting the time a certificate lasts, both users and developers are forced to adopt the most up-to-date security practices. This allows for faster development of the SSL/TLS ecosystem.
When an SSL certificate expires, all the benefits of HTTPS are lost. This means that any visitor going on a website will see a security notification from the browser saying that the website doesn't provide a secure connection and that it might be possibly dangerous.
Some browsers might even prevent users from accessing the website altogether (see a google chrome example below).
However, the expired SSL certificate doesn't stop an encrypted data flow to and from the website. But even though the encryption is still functional, it doesn't mean that a new SSL certificate deployment should be delayed.
An SSL certificate incident is a period of time during which a given URL has an invalid SSL certificate. Any users that are trying to use the service during the incident will see a website's security warning page generated by their browser. Those pages differ based on the browser but generally significantly decrease the number of visitors accessing the website.
After an incident is spotted by the SSL certificate monitoring tool, it needs to be communicated to the service admins. This process is called incident alerting or on-call alerting. In case of an incident, the person from a team who is currently on-call (has scheduled duty) receives the incident alert.
The most common types of getting alerted by an SSL certificate monitor include automated phone calls, SMS, Slack, and Microsoft Teams messages. Ways of alerting depend on factors like the importance of the monitored service, time of the day, and team preference.
SSL certificate alerts include information about what URL has an SSL certificate error and when it occurred. It also provides information about the error that triggered the incident, specifically the received response and a site screenshot. Screenshots can't be taken everywhere but in the case of website monitoring, they offer a great insight into what went wrong and what customers experienced.
SSL certificate alerts also include a call to action for the on-call person. Those usually have the option to acknowledge the incident or to view the incident.
After an alert is received, it should be acknowledged immediately. If the alert is not acknowledged in a specified time frame (usually 3 minutes), the person next in line on the on-call duty is alerted. This process could continue further until the whole team is alerted. However, the best practice is to have the on-call schedule set up in a way that the first team member is always ready to solve incoming incidents.
Once the incident is acknowledged the escalation process is paused and the team can fully focus on solving it. The speed by which an alert is acknowledged is called Time to acknowledge (TTA). Its average from different incidents called Mean Time to Acknowledge (MTTA) is a widely used incident management metric.
The following steps in the downtime resolution process are individual to different teams and apps. For larger teams, they can include collaborations between a few developers or even teams of developers, delegations of incidents to dedicated team members, and more. There are some best practices that all teams managing incidents should use. These include incident communication (both internal and external) and incident post-mortems.
This depends on the specific certificate authority you are using; however, the expiration periods are getting shorter. For example, Let's Encrypt certificates are valid for 90 days and the recommended period for renewal is every 60 days.
The best practice for handling SSL certificates is to fully automate renewals or set them up with a provider like Cloudflare that handles their renewal for you. It's recommended to set up automated monitoring for the certificates for both cases to ensure that the automated renewals run correctly.
When using automated tasks like cron jobs to run scheduled SSL certificate renewals, it's a best practice to set up monitoring for those. Cron job monitoring checks whether the automated renewals run correctly and if they don't, you get alerted.
This adds an extra layer of protection to your system as it notifies you right when something goes wrong helping you to troubleshoot and solve the issue before the SSL monitor would notify you about the upcoming certificate expiry.
Commonly used is, for example, monitoring of certbot, which is used to run automated, Let's Encrypt certificate renewals.
SSL monitoring allows you to get alerted before an SSL certificate expires, giving you time to renew it before it becomes invalid, causing an error. This proactive approach is the best way of preventing any SSL certificate-caused incidents.
SSL certificate monitoring is a fully automated process that can run as often as every 30 seconds, which helps to discover any issues right away. In a best-case scenario, any SSL certificate errors are fixed quickly, keeping the number of affected users to a minimum.
Although an expired SSL certificate doesn't stop the encryption of the data flow from and to the website, it is a security issue that should be solved immediately. With monitoring, this security flaw can be identified and solved as quickly as possible.
When an SSL certificate expires, all the benefits of authentication and HTTPS are lost. This means that any visitor going on a website will see a security notification from the browser that states that the website might be possibly dangerous. Monitoring helps to prevent any significant decline in visitors.
SSL certificate monitoring is the main but not the only part of the synthetic monitoring toolbox. When it comes to website monitoring, SSL certificate checks are ideally accompanied by basic uptime checks. The best practice is also to set up domain expiration monitoring to prevent any security issues or loss of valuable business assets.
Better Uptime is an infrastructure monitoring tool that offers SSL certificate monitoring together with regular uptime checks. Here is how to get notified whenever an URL returns an invalid SSL certificate.
For more information, explore Better Uptime docs.
Get notified with a radically better
infrastructure monitoring platform.