Caddy — alert when auto-renewal failed silently
Caddy usually renews on its own, but once a Let's Encrypt rate-limit broke the cycle and we found out 2 days before expiry. Want a belt-and-braces daily check.
Recipe
#!/usr/bin/env bash
# Reads the cert directly off the live socket; fails when < N days remain.
DOMAIN="${1:-example.com}"
DAYS_LEFT_THRESHOLD="${DAYS_LEFT_THRESHOLD:-14}"
EXPIRY=$(echo | openssl s_client -servername "$DOMAIN" -connect "$DOMAIN:443" 2>/dev/null \
| openssl x509 -noout -enddate 2>/dev/null \
| cut -d= -f2)
[ -z "$EXPIRY" ] && { echo "fetch-failed"; exit 1; }
EXP_TS=$(date -d "$EXPIRY" +%s)
NOW=$(date +%s)
DAYS=$(( (EXP_TS - NOW) / 86400 ))
[ "$DAYS" -lt "$DAYS_LEFT_THRESHOLD" ] && echo "low $DAYS" || echo "ok $DAYS"Same thing in Enterno.io
Already baked into the Enterno SSL Checker — but a cron + "ok"-keyword monitor turns it into a real on-call page. Captain-tier history surfaces patterns like "renewal failed every Monday at 3 AM".
Related recipes
Minimal script that checks an SSL certificate and alerts 14 days before expiry.
Site is on the HSTS preload list, but after an nginx refactor the header is gone. In 3 months the domain will be removed from the preload list. Need a daily check.
Ensure your site returns 2xx every minute, alert to Slack/Telegram on failure.