Probe type · Free+
SSL / TLS certificate probe
The dedicated cert-hygiene probe. Catches the expiring Let's Encrypt cert, the silent CA swap, and the missing-intermediate chain before your customers do.
Why you need it
The SSL probe is StatusPulse's purpose-built certificate check. It opens a TLS connection to the target, completes the full handshake, and inspects the leaf cert — not just to see that one is served, but to read everything operators actually need to alert on. Every run captures:
-
Days until expiry — the headline metric, driving a
two-tier state machine.
SslDegradedDaysBefore(default 15 days, the middle of a Let's Encrypt renewal window) flips the probe Up → Degraded.SslDownDaysBefore(default 0, so only genuine expiry trips it) flips it Down. - Full chain + hostname validation — the same validation a browser performs. A missing intermediate, an untrusted root, or a cert that doesn't cover the hostname in its Subject Alternative Names is reported as Down with the exact reason.
-
Certificate metadata snapshot — issuer, subject CN,
SAN list, serial number, signature algorithm, public-key algorithm,
negotiated TLS version, and exact
notAfter. A silent CA switch shows up as a metadata diff between checks.
The probe runs on a fixed 6-hour interval with a 30 s timeout — both hardcoded. Certificate expiry moves in days, so checking every minute would be pure waste; the form hides the interval / timeout fields for SSL probes specifically.
Where it pays off
Pair an SSL probe with every HTTPS endpoint you already cover with an HTTP probe. Expired certs are the single most common silent production outage, and an HTTP probe alone gives no advance warning.
- Production websites and APIs on Let's Encrypt, ACME, or any auto-renew flow. Default thresholds catch silently stalled renewals.
- Manually-managed certs on platforms that still require an annual upload. Raise Degraded days to 60 for more headroom.
- Third-party SaaS dependencies — the metadata snapshot catches a sudden issuer change at your vendor's edge.
- TLS-only non-HTTP ports — SMTPS 465, IMAPS 993,
LDAPS 636. Append
:portto the target hostname.
Not the right choice when: you need to assert the application actually works — use the HTTP probe. For STARTTLS ports (SMTP 587, IMAP 143) the SSL probe doesn't apply; use the Email probe instead. For domain registration expiry, use the Domain expiration probe.
Configuration parameters
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
Name |
string |
Required | — | Human-readable label shown in the dashboard, on the status page, and in alert subject lines. |
Target |
string (hostname[:port]) |
Required | — | Hostname only — no scheme, no path. Port defaults to 443; append :port for non-standard ports. The hostname drives SNI. Internal / RFC1918 hosts rejected by the SSRF guard. |
Degraded at (days) |
integer |
Optional | 15 | Days remaining at which the probe flips Up → Degraded. 15 is the middle of a typical Let's Encrypt renewal window. |
Expired at (days) |
integer |
Optional | 0 | Days remaining at which the probe flips Down. 0 means only genuine expiry / chain failure / hostname mismatch trips it. Raise to e.g. 3 for a critical pre-expiry tier. |
Interval |
fixed |
— | 6 hours (hardcoded) | Cert expiry moves in days. The form hides the interval field for SSL probes. |
Timeout |
fixed |
— | 30 seconds (hardcoded) | Hard ceiling for connect + TLS handshake + cert read. Generous enough for the slowest reachable TLS endpoint. |
Show on status page |
boolean |
Optional | false on create | Master visibility gate for the public page. New probes start hidden so the operator can review checks before publishing. |
Paused |
boolean |
Optional | false | Master kill-switch. Paused probes don't poll and don't fire alerts. |
Auto-email alerts |
boolean |
Optional | true | Per-probe switch on top of per-watcher toggles. |
SLA target |
decimal (99.0-99.999) |
Optional | — | Optional uptime SLO. Drives the SLA widget on the status page. |
Available on Free+. Already on StatusPulse? See the full config in Help →
Related
Try SSL / TLS certificate probe in StatusPulse
5 probes, 1 status page, forever. No credit card. US or EU host — you choose.