Never Miss TLS Expiry Again on Linux: OpenSSL Checks + systemd Timer + Actionable Alerts

Never Miss TLS Expiry Again on Linux: OpenSSL Checks + systemd Timer + Actionable Alerts Expired TLS certs are still one of the easiest outages to avoid. In this guide, we’ll build a small, auditable monitor that: checks multiple domains daily, uses proper SNI ( -servername ) so you inspect the right certificate, fails when expiry is within your threshold, logs to journalctl , and optionally sends alerts to a webhook. No SaaS required. Why this approach works Two OpenSSL features do most of the heavy lifting: openssl s_client can fetch a live server certificate chain from host:443 . openssl x509 -checkend <seconds> exits non-zero if the cert expires within the specified window. That makes it perfect for scripts and timers. Prerequisites Linux host with systemd openssl bash curl (optional, for webhook alerts) Install on Debian/Ubuntu: sudo apt update sudo apt install -y openssl curl Step 1) Create a domain inventory Create /etc/tls-monitor/domains.txt : example.com api.example.com statu