Scheduled SSL Certificate Expiry Checks

Automate SSL/TLS certificate expiry monitoring with TrigRun. Get alerts before your certificates expire and cause downtime.

Check your SSL certificates weekly and get alerted before they expire. TrigRun calls your certificate check endpoint, which inspects expiry dates and returns the results.

The problem

An expired SSL certificate takes your entire site offline with a browser security warning. Let's Encrypt certificates expire every 90 days. Even with auto-renewal, things break — DNS changes, permission issues, expired accounts. You need a scheduled check that verifies your certs are valid and alerts you before expiry.

How it works with TrigRun

┌─────────────┐  Mon 9 AM    ┌──────────────────┐   checks     ┌──────────────┐
│   TrigRun   │ ────────────▶│ Your Cert Check  │ ────────────▶│ yoursite.com │
│  Scheduler  │  POST /check │     Endpoint     │  TLS handshake│ api.yoursite │
└─────────────┘              └──────────────────┘              │ app.yoursite │
       │                            │                          └──────────────┘
       ▼                            ▼
  Execution log              Returns days until
  with cert status           expiry for each domain

Step-by-step setup

1. Create the weekly check job

curl -X POST https://api.trigrun.com/v1/jobs \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "SSL certificate check - all domains",
    "kind": "cron",
    "schedule": {
      "cron": "0 9 * * 1"
    },
    "request": {
      "url": "https://api.yourapp.com/ops/ssl-check",
      "method": "POST",
      "headers": {
        "Authorization": "secret://ops-api-key",
        "Content-Type": "application/json"
      },
      "body": {
        "domains": [
          "yoursite.com",
          "api.yoursite.com",
          "app.yoursite.com",
          "cdn.yoursite.com"
        ],
        "warn_days": 14
      },
      "timeout_seconds": 30
    },
    "retry_policy": {
      "max_attempts": 2,
      "retry_on_statuses": [500, 502, 503]
    }
  }'

2. Alert on failure (cert expiring soon)

Your endpoint should return a non-200 status when a cert is expiring within the warning threshold. Attach a Slack notification to catch it:

curl -X POST https://api.trigrun.com/v1/jobs/JOB_ID/notification-rules \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "channel_id": "SLACK_CHANNEL_ID", "event": "on_failure" }'

Expected results

All certs healthy:

Field	Example value
Status	`200 OK`
Response	`{"all_valid": true, "domains": [{"domain": "yoursite.com", "expires_in_days": 62, "issuer": "Let's Encrypt"}, {"domain": "api.yoursite.com", "expires_in_days": 62, "issuer": "Let's Encrypt"}]}`

Cert expiring soon (your endpoint returns 409):

Field	Example value
Status	`409 Conflict`
Response	`{"all_valid": false, "expiring": [{"domain": "cdn.yoursite.com", "expires_in_days": 6, "issuer": "Let's Encrypt"}]}`
Result	`failed` — Slack alert: "SSL cert for cdn.yoursite.com expires in 6 days"

Your check endpoint

// Node.js example using tls module
const tls = require('tls');

app.post('/ops/ssl-check', async (req, res) => {
  const { domains, warn_days } = req.body;
  const results = await Promise.all(
    domains.map(async (domain) => {
      const cert = await getCertInfo(domain);
      return {
        domain,
        expires_in_days: cert.daysUntilExpiry,
        issuer: cert.issuer,
        valid: cert.daysUntilExpiry > warn_days,
      };
    })
  );

  const expiring = results.filter((r) => !r.valid);

  if (expiring.length > 0) {
    return res.status(409).json({ all_valid: false, expiring });
  }
  res.json({ all_valid: true, domains: results });
});

Scheduled SSL Certificate Expiry Checks

On this page