An expired certificate is a full outage
When a TLS certificate expires, browsers stop trusting your site and replace it with a full page security warning. To a visitor that looks identical to a hack, and most people back away immediately. It is one of the most avoidable outages there is, because the expiry date is known months in advance, and yet it keeps happening.
It keeps happening because the failure is silent until the exact moment it is catastrophic. Nothing degrades gradually. The certificate is valid right up to the second it is not, and if nothing is watching the clock, the first signal you get is the site already being down.
Why auto-renewal is not enough on its own
Most certificates renew automatically, which is great until the automation breaks quietly. A renewal hook stops working after a server change, a DNS challenge no longer resolves, or a new certificate is issued but the web server is never reloaded to pick it up. In every one of those cases the automation reports success or stays silent, and the certificate still lapses. Monitoring is the independent check that catches the renewal that did not happen.
How SSL monitoring works in Cronaut
Cronaut inspects the certificate your domain actually serves and tracks the days remaining until it expires. As the expiry date approaches, the check moves to a degraded state with plenty of lead time to renew, and that change alerts you by email, Slack, Discord or webhook. Because the certificate is validated as part of each uptime check, you also find out immediately if the served certificate becomes invalid for any other reason, not only expiry.
One engine for SSL, uptime and cron
Certificate checks run on the same check engine as active uptime monitoring and cron and heartbeat monitoring, so an expiring certificate, a downed endpoint and a silent cron failure all land on one dashboard and one status page. A degraded certificate can open an incident on your public status page automatically, the same way any other check does.