When this workflow is a good fit
Use Prometheus when your services are already scraped and you want expiry alerts expressed as PromQL rules with the rest of your SRE alerts.
Concise setup overview
Expose certificate expiry metrics
Use an exporter, blackbox probing workflow, or service metric that publishes the certificate expiration timestamp for each target.
Write a PromQL alert
Compare the expiry timestamp with the current time and alert when the remaining seconds fall below your renewal threshold.
Route through Alertmanager
Send certificate-expiry alerts to the right receiver with labels for target, environment, owner, and severity.
Test with a safe target
Use a test endpoint or shortened threshold to confirm scraping, alert evaluation, and Alertmanager routing all work end to end.
Trade-offs to consider
- •Very flexible for engineering teams, but depends on correct exporters, scrape targets, and Alertmanager routing.
- •A missing scrape can hide the signal unless you also alert on absent metrics.
- •Prometheus is powerful infrastructure; it can be too much for one or two public websites.
When to add Certimon
Add Certimon if you need a fast outside-in certificate reminder, an independent Telegram alert path, or coverage for domains that are not currently part of Prometheus scraping.
Certimon does not need to replace your observability stack. It is useful as a lightweight second path for certificate-expiry reminders, especially for side projects, client domains, and external domains that are not fully covered by your normal infrastructure monitoring.