How to Get SSL Certificate Expiry Email Reminders

An expired SSL certificate breaks your website for visitors, damages trust, and hurts SEO. Here's how to set up automatic reminders so you never miss a renewal deadline.

Why SSL Monitoring Matters

What Happens When SSL Expires

Browser warnings - "Your connection is not private"
Lost traffic - Visitors leave immediately
SEO impact - Google penalizes insecure sites
API failures - HTTPS connections rejected
Payment processing - PCI compliance issues

Common Expiration Causes

Forgot to renew manually
Auto-renewal failed silently
Email went to spam
Contact email changed
Certificate authority issues

Method 1: Use a Monitoring Service

Set Up Automated Monitoring

The most reliable approach is dedicated SSL monitoring:

Add your domains to a monitoring service
Configure alert thresholds (30, 14, 7, 1 days)
Add multiple email recipients
Enable backup notification channels

Alert Schedule Example

Days Before Expiry	Alert Type
60 days	Informational email
30 days	Reminder email
14 days	Warning email
7 days	Urgent email
3 days	Critical + SMS
1 day	Emergency + Phone

Method 2: DIY with Scripts

Bash Script for Checking

#!/bin/bash
# check-ssl-expiry.sh

DOMAIN=$1
DAYS_WARNING=30

EXPIRY=$(echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)

EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))

if [ $DAYS_LEFT -lt $DAYS_WARNING ]; then
  echo "WARNING: $DOMAIN SSL expires in $DAYS_LEFT days"
  # Send email alert
  echo "SSL certificate for $DOMAIN expires in $DAYS_LEFT days" | \
    mail -s "SSL Expiry Warning: $DOMAIN" admin@example.com
fi

Cron Job Setup

# Check SSL daily at 9 AM
0 9 * * * /path/to/check-ssl-expiry.sh example.com
0 9 * * * /path/to/check-ssl-expiry.sh api.example.com
0 9 * * * /path/to/check-ssl-expiry.sh app.example.com

Python Script Alternative

import ssl
import socket
from datetime import datetime
import smtplib
from email.mime.text import MIMEText

def check_ssl_expiry(domain, warning_days=30):
    context = ssl.create_default_context()

    with socket.create_connection((domain, 443)) as sock:
        with context.wrap_socket(sock, server_hostname=domain) as ssock:
            cert = ssock.getpeercert()

    expiry = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
    days_left = (expiry - datetime.now()).days

    if days_left < warning_days:
        send_alert(domain, days_left)

    return days_left

def send_alert(domain, days):
    msg = MIMEText(f"SSL certificate for {domain} expires in {days} days")
    msg['Subject'] = f"SSL Expiry Warning: {domain}"
    msg['From'] = 'monitor@example.com'
    msg['To'] = 'admin@example.com'

    with smtplib.SMTP('localhost') as server:
        server.send_message(msg)

# Check multiple domains
domains = ['example.com', 'api.example.com', 'app.example.com']
for domain in domains:
    days = check_ssl_expiry(domain)
    print(f"{domain}: {days} days remaining")

Method 3: Calendar Reminders

Manual Calendar Setup

Find your certificate expiry date
Create calendar events:
- 60 days before: "Review SSL renewal"
- 30 days before: "Renew SSL certificate"
- 7 days before: "URGENT: SSL expires soon"
Invite team members
Repeat for each domain

Getting the Expiry Date

# Check expiry date
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate

# Output: notAfter=Mar 15 12:00:00 2026 GMT

Method 4: Let's Encrypt Automation

Certbot Auto-Renewal

Let's Encrypt certificates auto-renew, but you should still monitor:

# Check certbot renewal status
sudo certbot certificates

# Test renewal
sudo certbot renew --dry-run

# Cron job for renewal (usually set up automatically)
0 0 * * * certbot renew --quiet