SSL & domain expiry

Days before a certificate expires.

A daily openssl and whois check flags any certificate or domain with fewer than N days left. The hostname and exact date arrive as a push notification on your phone at 30, 14, and 3 days out, with renewal time to spare.

Daily checkSSL + domainopenssl · whois · cron
Features

Renew before it lapses

An expired certificate is a self-inflicted outage. A daily check buys you days of warning.

SSL and domains

openssl handles the cert, whois handles the domain. One daily script watches both.

One daily check

A short cron job covers it. No paid monitoring service.

Which cert, what date

The hostname and exact expiry date land in the message, so you know which cert is on the clock.

Staggered warnings

Stagger alerts at 30, 14, and 3 days. A failed auto-renew still leaves time for a manual fix.

Avoid the outage

An expired cert throws browser warnings and costs you trust. This catches it days ahead.

Runs anywhere

Run it from cron, systemd, or a scheduled GitHub Action.

Get started

Three steps to expiry alerts

1

Get the CLI or URL

Install the PocketAlert CLI, or grab your webhook URL for a curl-based check.

2

Schedule the check

Add a daily openssl or whois check that fires as the deadline nears.

3

Renew in time

Warnings land at 30, 14, and 3 days out. You renew long before anything lapses.

Watch SSL and domain expiry

1. Install the CLI and authenticate

Download the pocketalert binary, drop it on your PATH, and authenticate once with your API key.

sudo mv pocketalert /usr/local/bin/ && chmod +x /usr/local/bin/pocketalert
pocketalert auth YOUR_API_KEY

2. SSL certificate (daily cron)

Read the cert expiry date with openssl, compute the days remaining, and push when fewer than 14 are left.

HOST=example.com
END=$(echo | openssl s_client -connect "${HOST}:443" -servername "$HOST" 2>/dev/null \
  | openssl x509 -noout -enddate | cut -d= -f2)
DAYS=$(( ($(date -d "$END" +%s) - $(date +%s)) / 86400 ))
[ "$DAYS" -lt 14 ] && pocketalert send \
  -t "SSL expiring: $HOST" -m "${DAYS} days left (expires $END)"

3. Domain expiry

Read the registry expiry date with whois and forward it the same way.

EXP=$(whois example.com | awk -F': ' '/Expir/{print $2; exit}')
pocketalert send -t "Domain expiry: example.com" -m "Registered until $EXP"

4. Schedule it

Run the check once a day from cron.

0 8 * * * /usr/local/bin/check-ssl.sh

No CLI? Swap pocketalert send for a curl POST to the messages API.

curl -X POST 'https://api.pocketalert.app/v1/messages' \
  -H 'Token: YOUR_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"title":"SSL expiring: example.com","message":"13 days left","level":"critical"}'

The docs cover the rest.

FAQ

Questions, answered

A daily check reads the certificate expiry date and POSTs to PocketAlert once fewer than N days remain. You hear about it with renewal time to spare, not at midnight when the cert is already dead.

Yes. openssl reads the cert expiry and whois reads the domain expiry. A short script compares either against a threshold and alerts you as the deadline approaches.

Put the hostname and exact expiry date in the message. You know which certificate is lapsing and how many days are left to renew it.

cron, a systemd timer, or a GitHub Actions schedule all work. Anywhere that runs a daily command and makes an HTTP request will do.

Alert at 30, 14, and 3 days out. If an auto-renew fails, that last window still gives you time to renew by hand before the cert lapses.

Yes, give it a level. Send the 30-day heads-up with level=silent so it sits in history without a sound, and mark the tighter warnings level=critical: Android posts those on a channel that bypasses Do Not Disturb, and iPhone shows them as time-sensitive notifications that break through Focus.

Renew before the certificate dies.

One daily check, and you hear about a lapsing certificate or domain with days to spare.