Caddy — alert when auto-renewal failed silently · monitoring cookbook · Enterno.io

Anatoly Oshmanovsky

Caddy — alert when auto-renewal failed silently

Caddy usually renews on its own, but once a Let's Encrypt rate-limit broke the cycle and we found out 2 days before expiry. Want a belt-and-braces daily check.

Stack: Caddy · cron · curl Tags: caddy, ssl, letsencrypt

Recipe

bash

#!/usr/bin/env bash
# Reads the cert directly off the live socket; fails when < N days remain.
DOMAIN="${1:-example.com}"
DAYS_LEFT_THRESHOLD="${DAYS_LEFT_THRESHOLD:-14}"

EXPIRY=$(echo | openssl s_client -servername "$DOMAIN" -connect "$DOMAIN:443" 2>/dev/null \
        | openssl x509 -noout -enddate 2>/dev/null \
        | cut -d= -f2)
[ -z "$EXPIRY" ] && { echo "fetch-failed"; exit 1; }

EXP_TS=$(date -d "$EXPIRY" +%s)
NOW=$(date +%s)
DAYS=$(( (EXP_TS - NOW) / 86400 ))

[ "$DAYS" -lt "$DAYS_LEFT_THRESHOLD" ] && echo "low $DAYS" || echo "ok $DAYS"

Same thing in Enterno.io

Already baked into the Enterno SSL Checker — but a cron + "ok"-keyword monitor turns it into a real on-call page. Captain-tier history surfaces patterns like "renewal failed every Monday at 3 AM".

Set up SSL Checker → ← All recipes

Related recipes

Let's Encrypt — warn before you hit the rate limit

python

Auto-issuance for 200 subdomains — eventually you hit the Let's Encrypt rate limit (50 certs/week per registrable domain) and sit without HTTPS.

SSL certificate expiry watch in Python

python

Minimal script that checks an SSL certificate and alerts 14 days before expiry.

HSTS preload — alert when the header disappears after a deploy