SSL Certificates Monitoring

ℹ️ About SSL certificate monitoring

INFRAX checks SSL certificate expiration for Web services that use https:// URLs. When the remaining lifetime reaches the Warning or Critical thresholds, the system creates a monitoring incident in Helpdesk and can close it automatically after renewal. If Do not validate the SSL certificate is enabled for the Web service, the check is skipped.

Section Contents

System Overview

SSL certificate monitoring is used to keep HTTPS services under control. It tracks the certificate expiration date, creates incidents when the remaining lifetime crosses the configured thresholds, and helps close them after renewal.

What the monitoring does

  • Checks HTTPS services - only Web services with a https:// URL are included
  • Uses two thresholds - separate values for Warning and Critical
  • Keeps one active incident per node - duplicates are not created
  • Supports escalation - a warning incident can be upgraded to critical when the certificate degrades further
  • Closes automatically - after renewal, if the incident has no executor assigned
  • Shows history - changes are visible in trigger history and Helpdesk
⚠️ Requirements

The check works only for Web services with a full HTTPS URL. http:// addresses are skipped, and services with Do not validate the SSL certificate enabled are excluded from SSL monitoring.

How It Works

The SSL check runs on a schedule and processes all nodes that have a Web service configured with an HTTPS URL.

Check flow

  1. Find nodes - the system selects nodes with a Web service and a configured URL
  2. Apply guards - nodes without https:// or with SSL validation disabled are skipped
  3. Connect to the endpoint - the certificate is read from the HTTPS endpoint
  4. Calculate remaining days - the remaining lifetime is computed
  5. Determine severity - the result is compared with the Warning and Critical thresholds
  6. Create or update the incident - the system creates a new incident or escalates an existing one when needed

What the system reads

Parameter Description
URL The Web service address used for the check
Host The host name extracted from the URL
Valid from The certificate start date
Valid to The certificate expiration date
Issuer The certificate authority that issued the certificate
Remaining days How many days are left until expiration
Severity Warning or Critical, depending on the configured thresholds

Monitoring Configuration

SSL certificate monitoring is configured on a node or folder under the Monitoring tab. Values can be entered directly or inherited from the parent folder.

Set up the Web service

📝 First step

Before enabling SSL monitoring, make sure the node has a Web service with a full URL starting with https://.

  1. Open the node settings
  2. On the General tab, in Services / connection protocols, add or update the Web service
  3. Enter the full HTTPS URL, for example https://example.com
  4. Add a non-standard port directly in the URL if needed
  5. If the certificate should not be validated for this service, enable Do not validate the SSL certificate

SSL monitoring parameters

After the Web service is configured, open the Monitoring tab and go to SSL certificates.

Parameter Description Behavior
Create incident Enables incident creation when expiration gets close If disabled, SSL events do not create incidents
Auto-close incident Closes the incident after the certificate is renewed Available only when incident creation is enabled
Warning The threshold that creates a warning-level incident Inherited from the parent folder if not set locally
Critical The threshold for the critical state Must be lower than Warning
💡 Inheritance

SSL monitoring settings are often best defined at folder level. For example, you can enable incident creation for all production servers and keep only node-specific thresholds where they differ from the common standard.

Recommended threshold values

Service type Recommended Warning Recommended Critical
Critical production services 60 days 14 days
Typical public websites 30 days 7 days
Test environments 14-21 days 3-7 days
Internal services 14 days 3 days

Incident Creation

When the remaining lifetime becomes lower than the configured Warning or Critical threshold, the system creates a monitoring incident. Priority, SLA handling, and service routing come from the Helpdesk settings for SSL incidents.

How severity is chosen

Situation Result
Remaining days are above both Warning and Critical No incident is created
Remaining days are below Warning but above Critical A warning-level incident is created
Remaining days are less than or equal to Critical A critical incident is created
An open incident already exists and the situation becomes critical The existing incident is escalated instead of duplicating it

What the incident contains

  • Title - includes the node name, expiration date, and remaining days
  • Website URL - the address of the checked Web service
  • Expiration date - the exact certificate expiration timestamp
  • Remaining days - the lifetime calculation
  • Issuer information - certificate authority details
  • Certificate data - subject, issuer, and validity period
  • Check link - an external SSL Checker for manual verification
  • Node link - the incident is linked to the network node automatically

Duplicate prevention

  • Only one active SSL incident can exist per node
  • If an incident already exists, a new one is not created
  • After the incident is closed and the certificate falls below the threshold again, a new incident is created

Automatic Incident Closure

When the certificate is renewed and the remaining lifetime becomes safe again, the system can close the incident automatically.

Automatic close conditions

The incident is closed automatically if:

  1. Auto-close incident is enabled
  2. The remaining days are now above the threshold that caused the incident
  3. The incident is not assigned to an executor
  4. The certificate is successfully validated and no longer considered problematic

What happens on close

  • A system message about certificate recovery is added to the incident
  • The status changes to Done, which appears as Closed in node incident lists
  • After closure, monitoring continues to watch the same URL and creates a new incident if the certificate approaches the threshold again
  • If notifications are configured, the closure event is sent out
✅ Practical benefit

Automatic closure saves time when certificates are renewed by Let’s Encrypt, ACME clients, or another scheduled renewal process.

Viewing Certificate Status

You can track SSL certificate status through Helpdesk, the node card, and trigger history.

Through Helpdesk

  1. Open the Helpdesk section
  2. SSL incidents appear as monitoring incidents
  3. Done means the incident is closed
  4. The priority shows how urgently the certificate needs to be renewed

Through the node card

  1. Open the node card with the Web service configured
  2. Go to the Tickets tab
  3. All related incidents are shown there, including SSL events

Through trigger history

  1. Open Monitoring → Triggers History
  2. Select the SSL certificates filter
  3. Review the changes to Create incident, Warning, Critical, and Auto-close incident

Error Handling

SSL certificate monitoring handles both certificate-level issues and connectivity problems with the HTTPS endpoint.

Error types

Error type Cause System action
Connection error The server is unavailable, the port is closed, or DNS resolution fails A critical incident is created after several attempts
Expired certificate The certificate has already expired An incident is created with critical severity
Invalid certificate Trust chain or TLS configuration problems An incident is created with a detailed description
HTTP instead of HTTPS The URL starts with http:// or SSL validation is disabled The node is skipped and no incident is created

Recovery after errors

When the problem is resolved, the system records recovery on the next check cycle.

  • Short network outages trigger retry attempts before an incident is created
  • After recovery, a system message is added to the incident
  • If auto-close is enabled and the incident has no executor, it closes automatically
  • The monitor then returns to normal certificate lifetime tracking
ℹ️ Retry behavior

For short-lived HTTPS endpoint outages, the system can try to connect several times before it creates an incident.

Best Practices

Monitoring setup

Recommended approach

  • Set thresholds at folder level - this makes it easier to inherit the same rules across a group of nodes
  • Keep Warning above Critical - the system expects an earlier warning threshold
  • Enable auto-close for certificates that are renewed automatically
  • Use a full HTTPS URL and remember to include non-standard ports
  • Check the SSL validation option in the Web service if the certificate must be monitored

Working with incidents

  • Respond to critical incidents first
  • Use the open SSL incident as the control point while the certificate is being renewed
  • Add comments in Helpdesk if the renewal is handled manually
  • If an executor is assigned, auto-close will not close the incident

Integration with processes

Automatic renewal

SSL monitoring works best together with automated certificate renewal:

  • Let's Encrypt + Certbot - good for regular automated renewals
  • ACME clients - useful for custom issuance and renewal workflows
  • Cloud CDNs - often manage certificates without operator involvement

Certificate types

Certificate type Notes What to keep in mind
Let's Encrypt Short validity and frequent renewal Auto-close and an early Warning threshold work well here
Commercial CAs Usually a longer validity period with a manual renewal process Use an earlier Critical threshold and plan the replacement ahead of time
Self-signed The validity period is set manually Keep the inheritance model and renewal procedure clear
Wildcard One certificate covers many subdomains This is usually a critical certificate for a group of services

What to do when you receive an incident

Basic workflow

  1. Check the remaining days - understand how urgent the situation is
  2. Open the certificate manually - confirm the issue is real
  3. Prepare renewal - obtain the new certificate or trigger automated renewal
  4. Replace the certificate on the server - deploy it in the service
  5. Check again - wait for the monitoring state to recover
  6. Close the incident - manually or by waiting for auto-close
⚠️ Important

Do not postpone SSL incidents. An expired certificate can block access to the service, trigger browser warnings, and reduce user trust.