SSL Certificate Monitor

We pull the zone's certificates from our database (sourced from Certificate Transparency logs) and select the ones whose expiration falls inside a window from 60 days in the past to 30 days in the future. Each one is matched against the zone's currently-active certificates to see if a replacement exists with all of these properties:

• A different cert (different serial number).
• An expiration date later than the original's.
• The same issuer — matched on the issuer's organization name, so different intermediates of the same CA (for example Let's Encrypt R3 and R10) count as one.
• A subject alt name set that covers every name on the original.

Cloudflare's universal SSL certificates (those carrying a sni.cloudflaressl.com SAN) are skipped — they show up in CT logs but aren't directly user-managed.

Certificates that expired more than 60 days ago are treated as retired services and ignored.

An expired certificate breaks every TLS handshake. If the renewal pipeline silently failed two weeks ago, you have two weeks to find out — but only if something is watching. This check fills that gap by looking at what was actually issued (per CT logs) rather than trusting that the renewal cron ran successfully.

Issue a replacement certificate from the same CA that covers every name on the original. If the original was retired intentionally, disable the monitor for that zone — once the cert ages past the 60-day cutoff it will stop being checked.

If renewal is automated (ACME, cert-manager, an in-house pipeline), the failure is upstream. Common causes: an HTTP-01 challenge that can't be served, a DNS-01 challenge with a stale credential, or a renewal cron that hasn't run in months.