How do system administrators monitor SSL certificate expiry across many domains?

Most teams combine three things: an internal monitor (Nagios/Zabbix/Prometheus blackbox_exporter) on the management network, the renewal client itself (certbot, cert-manager) reporting failures, and an external watcher that sees what the public internet sees. Certimon is that external watcher: free, CA-agnostic, sends Telegram alerts, no per-domain pricing.

Why do internal monitoring tools sometimes miss SSL expiry?

Internal probes typically check the certificate served by the origin host, not what an external client actually negotiates. CDN edge certs, WAF re-encryption, hostname mismatches, missing intermediates, OCSP must-staple failures and SNI bugs only show up from the outside. An external check on port 443 catches what your internal monitoring can't see.

Can Certimon run alongside Nagios, Zabbix or Prometheus blackbox_exporter?

Yes — Certimon is designed as a complement, not a replacement. Keep your existing internal SSL checks for granular metrics and dashboards. Add Certimon as the independent external watcher that pings Telegram even when your monitoring stack itself is down.

Does Certimon support wildcard certificates and SAN entries?

Certimon checks the live certificate served on the hostname you specify. If a wildcard or SAN cert covers that hostname, it sees the same not-after date the browser does. For coverage of every SAN you care about, register each hostname individually with /remind hostname.example.com 30.

For sysadmins • Free • Unlimited domains

SSL Monitoring for System Administrators

Production fleets, mixed environments, dozens of domains across multiple CAs. Free Telegram alerts that fire when your renewal automation silently fails — independent of your existing monitoring stack.

Open @CertimonBot Open web dashboard

Pairs with Nagios, Zabbix, Prometheus, cert-manager, certbot

The sysadmin reality

You don't manage one cert; you manage a hundred. Different CAs (Let's Encrypt for the public sites, an internal CA for the corp tier, ZeroSSL because someone's old playbook still uses it, a commercial wildcard for one legacy app). Different renewal mechanisms (certbot timers, cert-manager Issuers, vendor portals, Cloudflare Universal SSL, ACM, Key Vault). Different teams who all assume someone else is watching.

Renewal automation is great until the day it isn't. The classics:

• HTTP-01 broken — port 80 firewalled by a misapplied IaC change.
• DNS-01 broken — provider API token rotated, nobody updated the secret.
• cert-manager stuck in a CertificateRequest backoff loop nobody's watching.
• certbot timer failing silently after a kernel upgrade orphaned the systemd unit.
• Edge cert renewed correctly but the deploy step that pushes it to the load balancer skipped.

Internal monitoring catches some of this. An independent external check catches the rest.

Three layers, working together

Certimon doesn't replace your existing SSL monitoring — it adds the layer most teams are missing.

1. Renewal automation

certbot, cert-manager, acme.sh, Caddy, ACM, Cloudflare Universal SSL. The thing that issues and rotates the cert.

2. Internal monitoring

Nagios check_ssl_cert, Zabbix web.cert.x509, Prometheus blackbox_exporter with probe_ssl_earliest_cert_expiry. Granular metrics, dashboards, escalation policies.

3. Independent external watcher

Certimon. Hosted off-site, checks public TLS, pings Telegram. Fires even when your monitoring stack itself is down — the silent-failure killer.

Operational workflows

Bulk-register a fleet

Send each domain in a single chat session. Use the 30/7/1 day pattern so you get an early warning, a real warning, and a last-call ping.

/remind www.example.com 30

/remind www.example.com 7

/remind www.example.com 1

/remind api.example.com 30

/remind admin.example.com 30

/list # confirm what's registered

Audit a host before a maintenance window

Check what the public internet currently sees on a host before you start touching its TLS config:

/check www.example.com # issuer, expiry, chain summary

Pair with the standard openssl one-liner for the version with everything:

echo | openssl s_client -showcerts \ -servername www.example.com \ -connect www.example.com:443 \ 2>/dev/null \ | openssl x509 -noout -text

Trigger an early dry-run renewal

When Certimon pings you at the 30-day window, validate renewal works now rather than at 1 day:

sudo certbot renew --dry-run --cert-name www.example.com # or for cert-manager: kubectl annotate certificate www-example-com \ cert-manager.io/issue-temporary-certificate="true" \ --overwrite

When Certimon is the right tool — and when it isn't

Use Certimon for

• Public-facing production hostnames
• An out-of-band channel (Telegram) when your normal alerting (email, PagerDuty) is the thing that broke
• Long-tail domains that don't justify a Nagios/Zabbix host definition
• Cross-team coverage where ownership is fuzzy
• Replacing the Let's Encrypt expiration emails that ended in June 2025

Use something else for

• Internal-only services (use blackbox_exporter on the management network — see Prometheus SSL guide)
• Granular per-host SLOs and historical metrics (Zabbix or Prometheus)
• Compliance auditing requiring on-prem evidence
• Dashboards (Grafana — see Grafana SSL guide)

FAQ

How often does Certimon re-check each domain?

Hourly. You can also fire /check example.com on demand for an immediate verification.

Can multiple operators share one Certimon view?

Add @CertimonBot to a Telegram group; reminders fired for that group ping the whole channel. Useful for an on-call rotation.

Is there a programmatic API?

For external SSL checks see the SSL checker API alternatives page. The Telegram bot itself is the registration interface for reminders.

What's logged about my domains?

Hostnames you register and the certificate metadata returned by the public TLS handshake. No private data, no traffic inspection.

Will it page me at 3am?

Telegram fires whatever notification settings you have for that chat. Mute the bot if you want quiet windows; reminders queue and re-deliver.

Add the layer that catches what your monitoring stack misses

Free, hosted off-site, fires Telegram alerts from outside your infrastructure. Pair with whatever you already run.

Open @CertimonBot