Skip to main content
By the end of this guide, you’ll have an HTTP monitor that alerts you before your TLS certificates expire, giving you time to renew.
  • DevHelm CLI installed or an API token
  • An HTTPS endpoint to monitor

Add an SSL expiry assertion

The ssl_expiry assertion checks how many days remain before the TLS certificate expires. Add it to any HTTP monitor:
devhelm monitors create \
  --name "example.com SSL" \
  --type HTTP \
  --url https://example.com \
  --frequency 3600 \
  --regions us-east,eu-west \
  --assertion 'ssl_expiry>=30' \
  --assertion '{"severity":"fail","config":{"type":"ssl_expiry","minDaysRemaining":14}}'
monitors:
  - name: example.com SSL
    type: HTTP
    config:
      url: https://example.com
      method: HEAD
      verifyTls: true
    frequencySeconds: 3600
    regions:
      - us-east
      - eu-west
    assertions:
      - config:
          type: ssl_expiry
          minDaysRemaining: 14
        severity: fail
      - config:
          type: ssl_expiry
          minDaysRemaining: 30
        severity: warn
This setup:
  • Warns at 30 days — time to plan renewal
  • Fails at 14 days — urgent action needed
In the CLI, the shorthand --assertion 'ssl_expiry>=N' creates a warn-severity assertion; pass a JSON object (as above) when you need fail severity. To add an assertion to an existing monitor, use POST /api/v1/monitors/{monitorId}/assertions with a body like {"severity": "fail", "config": {"type": "ssl_expiry", "minDaysRemaining": 14}}.

Choosing thresholds

ThresholdUse case
30 days (warn)Standard renewal reminder with plenty of lead time
14 days (fail)Critical alert — certificate is close to expiring
7 days (fail)Emergency — immediate action required
If you use auto-renewal (Let’s Encrypt, AWS ACM), set a shorter fail threshold (7 days). The warn threshold still catches renewal failures early.

Check frequency

Certificate expiry doesn’t change rapidly, so checking every hour (3600) or every 6 hours (21600) is sufficient. This saves check quota while still catching issues promptly.

Combine with other assertions

SSL monitoring works alongside other HTTP assertions:
assertions:
  - config:
      type: status_code
      expected: "200"
      operator: equals
    severity: fail
  - config:
      type: response_time
      thresholdMs: 5000
    severity: warn
  - config:
      type: ssl_expiry
      minDaysRemaining: 14
    severity: fail

TLS verification

Set verifyTls: true (the default) to also catch invalid certificates, hostname mismatches, and untrusted CAs — the check fails immediately rather than just triggering the expiry assertion. Set verifyTls: false only for self-signed certificates in development environments.

Next steps

HTTP assertions

Full list of HTTP assertion types.

Alerting guide

Route certificate warnings to specific channels.

Monitors guide

Configure all monitor types.