SSL certificate expiration is one of the most preventable causes of downtime. There is no complicated root cause, no subtle race condition, no cascading failure. The cert expires, browsers reject the connection, and your site is effectively down for every visitor. Yet it catches teams off guard constantly — even large ones with dedicated SRE teams.

The good news: if you are already monitoring your URLs with CronAlert, you are already monitoring your SSL certificates. Every HTTPS check automatically validates the certificate. If something is wrong, you get alerted through whatever channels you have configured. No extra setup required.

What SSL errors CronAlert detects

When CronAlert makes an HTTP request to your monitored URL, it validates the full TLS handshake just like a browser would. If the certificate is invalid for any reason, the check fails and CronAlert captures the specific error. Here are the categories of SSL issues it catches:

  • Expired certificates -- the most common culprit. The cert's validity period has passed and browsers will refuse the connection.
  • Self-signed certificates -- the certificate was not issued by a trusted certificate authority. Common in development environments that accidentally make it to production.
  • Incomplete certificate chains -- the server is not sending the intermediate certificates needed to verify the chain of trust back to a root CA.
  • TLS handshake failures -- the server and client cannot agree on a protocol version or cipher suite, or the handshake is rejected for another reason.
  • Hostname mismatch -- the certificate was issued for a different domain than the one being accessed.
  • Not-yet-valid certificates -- the certificate's start date is in the future. This can happen when a renewed cert is deployed before its validity period begins.

Under the hood, CronAlert looks for specific error patterns in the response: ssl, tls, certificate, cert_, expired, self-signed, ERR_CERT, ERR_SSL, CERT_HAS_EXPIRED, CERT_NOT_YET_VALID, and UNABLE_TO_VERIFY_LEAF_SIGNATURE. When any of these are detected, the check is recorded as an SSL-specific failure with a descriptive error message.

How it works

There is no separate "SSL monitoring" feature to enable. CronAlert does not treat SSL checks as a different type of monitor. Instead, every HTTP check against an HTTPS URL inherently validates the certificate as part of making the request. This is the same behavior you get from a browser -- if the cert is bad, the request fails.

When a check encounters an SSL error, CronAlert does three things:

  1. Records the failure with the specific error details, formatted as SSL certificate error: [details]
  2. Creates an incident on the monitor, just like any other downtime event
  3. Sends alerts through all your configured channels -- email, Slack, Discord, webhook, push notifications

This means SSL errors are treated with the same urgency as a full outage. Because from your users' perspective, a bad certificate is a full outage. Modern browsers will not let them through without clicking past scary warning pages, and many HTTP clients will refuse the connection entirely.

Setting up SSL monitoring

If you already have monitors for your HTTPS URLs, you are done. SSL monitoring is already active. If you are setting up from scratch, here is all it takes:

1

Create a monitor

Go to your CronAlert dashboard and add a new monitor. Enter your HTTPS URL -- for example, https://api.yourcompany.com/health. That is the only required field.

2

Configure your alert channels

Set up wherever you want to receive alerts: email, Slack, Discord, a webhook endpoint, or push notifications. You can configure multiple channels so your team gets notified through redundant paths.

3

There is no step 3

SSL validation happens automatically on every check. There is no toggle, no checkbox, no configuration page for it. If the URL starts with https://, the certificate is being validated.

What happens when an SSL error is detected

Here is a concrete example. Say your certificate for api.yourcompany.com expires at 2:00 AM on a Saturday. CronAlert's next scheduled check hits the URL and the TLS handshake fails. The check result is recorded with the error: 

SSL certificate error: CERT_HAS_EXPIRED

An incident is created on that monitor immediately. All configured alert channels fire. Your on-call engineer gets a Slack notification, an email lands in the team inbox, and your webhook endpoint receives a POST with the incident details. The alert includes the specific error, so your team knows this is a cert issue -- not an application crash or network problem -- and can act accordingly.

Once you renew the certificate and CronAlert's next check succeeds, the incident is automatically resolved and a recovery notification is sent through the same channels.

Common SSL issues and what they mean

When you get an SSL alert, the error message tells you what went wrong. Here is a quick reference for the most common ones:

Error What it means
CERT_HAS_EXPIRED The certificate's validity period has ended. Renew it and redeploy.
CERT_NOT_YET_VALID The certificate's start date is in the future. Usually a clock sync issue or premature deployment of a renewed cert.
DEPTH_ZERO_SELF_SIGNED_CERT A self-signed certificate is being served. Replace it with one from a trusted CA, or use a free cert from Let's Encrypt.
UNABLE_TO_VERIFY_LEAF_SIGNATURE The certificate chain is incomplete. Your server is not sending the intermediate certificates. Reconfigure your web server to include the full chain.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH The server and client cannot agree on a TLS version or cipher. Often means the server is configured with outdated or overly restrictive TLS settings.

Each of these will appear in your alert as SSL certificate error: [ERROR_CODE], making it straightforward to diagnose without logging into your server first.

Best practices for SSL monitoring

SSL monitoring with CronAlert is automatic, but there are a few things you can do to get the most out of it:

  • Monitor every domain you own. If you have app.yourcompany.com, api.yourcompany.com, and docs.yourcompany.com on separate certificates, create a monitor for each. One cert renewing does not mean the others did too.
  • Use shorter check intervals for critical services. On paid plans, monitors check every minute. If your primary domain's certificate expires, you want to know within 60 seconds, not 3 minutes.
  • Set up multiple alert channels. Do not rely on email alone for certificate alerts. Add Slack or Discord for instant visibility, and a webhook if you have an incident management system that should be notified.
  • Monitor your certificate renewal pipeline. If you use Let's Encrypt with auto-renewal, create a monitor for the URL. If the renewal process breaks silently, CronAlert will catch the resulting SSL error before your users do.
  • Do not forget non-obvious endpoints. API servers, webhook receivers, CDN origins, internal services exposed over HTTPS -- all of these have certificates that can expire. If it has an HTTPS URL, monitor it.

Free plan coverage: The free tier gives you 25 monitors with 3-minute intervals. That is enough to cover most teams' SSL monitoring needs. If you have more than 25 HTTPS endpoints to watch, the Pro plan supports up to 100 monitors with 1-minute intervals for $5/month.

Frequently asked questions

Do I need to enable SSL monitoring separately?

No. SSL certificate validation happens automatically on every HTTPS check. There is no toggle or separate configuration. If your monitor points to an HTTPS URL, the certificate is being validated on every single check.

Is SSL monitoring available on the free plan?

Yes. SSL monitoring is included on all plans, including free. You get 25 monitors with 3-minute check intervals, and every HTTPS check includes automatic SSL validation. Alerts are sent through all configured channels -- email, Slack, Discord, webhook, and push notifications.

What SSL errors does CronAlert detect?

CronAlert detects expired certificates, self-signed certificates, incomplete certificate chains, hostname mismatches, TLS handshake failures, and certificates that are not yet valid. Essentially, any error that would cause a browser to show a security warning will trigger an alert in CronAlert.

How quickly will I be alerted about an SSL issue?

You will be alerted on the next scheduled check after the SSL error occurs. On the free plan, that means within 3 minutes. On paid plans with 1-minute intervals, you will know within 60 seconds. Alerts fire immediately through all your configured channels as soon as the failed check is recorded.

Stop worrying about certificate expiration

SSL certificate issues are entirely preventable outages. The fix is almost always straightforward -- renew the cert, fix the chain, update the TLS config. The hard part is knowing about the problem before your users do. That is what CronAlert handles for you, automatically, on every check, with no extra configuration.

If you are already using CronAlert, your HTTPS monitors are already watching your certificates. If you are not, sign up for free and add your first monitor. Twenty-five monitors, 3-minute intervals, all alert channels included. Your certificates are too important to leave unmonitored.