When this workflow is a good fit
Use Zabbix when you already run it for infrastructure monitoring and want certificate expiry in the same alerting model as host, service, and network checks.
Concise setup overview
Pick the domains and ports to monitor
List public HTTPS endpoints and any non-standard TLS ports that matter. Keep hostnames explicit so alerts map to the service owner.
Use a template, web scenario, or external script
Model each certificate expiry check as a Zabbix item that returns days remaining. Community templates or scripts can work well, but validate them against your Zabbix version before relying on them.
Create trigger thresholds
Add warning and high-severity triggers such as certificates expiring within 30, 14, or 7 days. Tune thresholds to match your renewal automation.
Test the notification path
Force a low threshold in a non-production item or use a known short-lived test certificate to verify that the right person receives the alert.
Trade-offs to consider
- •Great if your team already lives in Zabbix; heavier than necessary for a small site or a few side-project domains.
- •External scripts and templates need maintenance when Zabbix or OpenSSL output changes.
- •Alert routing is powerful, but certificate reminders can get lost alongside noisy infrastructure alerts.
When to add Certimon
Add Certimon when you want an independent Telegram reminder outside Zabbix, a quick monitor for a domain that is not in your Zabbix inventory, or a second channel after Let’s Encrypt email alerts stopped.
Certimon does not need to replace your observability stack. It is useful as a lightweight second path for certificate-expiry reminders, especially for side projects, client domains, and external domains that are not fully covered by your normal infrastructure monitoring.