Configure TLS certificate probes
Connect to a TLS endpoint and report days until certificate expiry.
TLS certificate probes connect to a host on a TLS port, read the
peer certificate, and report days_until_expiry. Use them to fire
a clear signal before a public certificate lapses.
Configuration shape
{
"host": "api.example.com",
"port": 443,
"warn_days": 30,
"critical_days": 7
}Field reference
| Field | Default | Notes |
|---|---|---|
host | required | Hostname (preferred) or IP. SNI is set automatically when the host is a hostname. |
port | 443 | TLS port to connect to. |
warn_days | 30 | Informational marker. The agent reports the value regardless; thresholds drive status. |
critical_days | 7 | Same as above. The relationship warn_days >= critical_days is enforced. |
The probe accepts certificates that fail validation (expired,
self-signed, hostname mismatch). The intent is to surface the
problem rather than refuse the connection. Status is computed
from days_until_expiry.
Threshold examples
| Goal | Healthy | Unhealthy |
|---|---|---|
| Standard renewal cadence | over 30 | under 7 |
| Aggressive (Let's Encrypt 90d) | over 14 | under 3 |
Negative days_until_expiry indicates the certificate has already
expired. Set unhealthy at under 0 to treat that as a hard
unhealthy.
Reason codes
| Reason | Meaning |
|---|---|
no_cert | Server completed TLS but did not present a certificate. |
bad_cert_date | Certificate's valid_to could not be parsed. |
ETIMEDOUT | Connection did not complete in time. |
ECONNREFUSED | Connection refused at the TCP layer. |
tls_error | Other TLS-handshake error. |
Was this page helpful?