SSL certificate expiry monitoring for your SaaS status page
An expired TLS certificate takes down HTTPS before your app logic fails. Customers see browser warnings; API clients get handshake errors. Uptime on /health goes red at the same moment — but advance warning before expiry saves weekend renewals.
StillOnline offers dedicated SSL certificate checks (hourly probe, expiry alerts) alongside HTTP uptime checks. This guide covers what each check type does, how cert outages appear on your status page, and plan limits on Free (one URL check per project).
Quick answer
Add an SSL check in StillOnline for your production hostname — probes run every one hour (fixed interval), with owner alerts when expiry is within your configured window (default 14 days). An HTTP check on the same host also fails when the cert is invalid, but without early expiry warning. Free allows one check per project — choose HTTP uptime or SSL early warning until Pro adds up to 10 checks. Publish cert-related downtime on a Payments or API component, not a vague “everything down” banner.
HTTP check vs SSL check
| Check type | Interval (typical) | Detects | Best for |
|---|---|---|---|
HTTP GET /health | 5 min (Free) | Site unreachable, bad cert at handshake | Customer-visible uptime |
| SSL certificate | 1 hour (fixed) | Expiry date, chain issues before traffic dies | Renewal reminders |
Per RFC 8446, TLS must succeed before HTTP — a dead cert means both checks fail once expired.
When the cert expires — status page messaging
- Before expiry — SSL check alerts you (email, Telegram, Slack); status page can stay green if HTTP still works.
- At expiry — HTTP check goes DOWN; open an incident on the component customers hit (usually API or App).
- After renew — wait for two successful probes before resolving; CDN caches may lag.
Link subscribers to stillonline.tech/{locale}/s/{id} — not Twitter alone. See public status page guide.
Setup in StillOnline
- App → project → New check → SSL.
- Enter
https://api.yourproduct.com(hostname matters; path optional). - Set alert threshold (days before expiry) if the UI exposes it — default 14 days.
- On Free, if you already use the single slot for HTTP, upgrade to Pro for both — pricing.
HTTP check on the same host:
curl -vI https://api.yourproduct.com/health 2>&1 | grep -i expire
Use openssl s_client for local debugging; StillOnline probes from its worker network.
Indie pitfalls
| Issue | Mitigation |
|---|---|
| Cert on CDN, origin forgotten | Monitor customer-facing hostname StillOnline users hit |
| Auto-renew failed (Let’s Encrypt) | SSL check + calendar reminder |
| Wildcard renewed, leaf missed | Check the exact API host |
Only monitoring marketing www | API subdomain may expire separately — API-only checks |
Related guides
- Health check URL quickstart
- False positive uptime tuning
- Public status page for SaaS
- Side-project monitoring checklist
FAQ
Does StillOnline SSL monitoring replace Certbot reminders?
It complements them. StillOnline alerts owners through your configured channels; you still renew at the CA or CDN.
Will an SSL check alone keep my status page green when HTTPS is broken?
No. When the cert is invalid, HTTP checks fail too. SSL check adds early expiry warning while HTTPS still works.