SSL Certificate Expiring (30 Days)

What This Check Does

The SSL Certificate Expiring (30 Days) check fires when your SSL/TLS certificate has fewer than 30 days remaining before expiration. DNS Spy retrieves your certificate during each monitoring cycle and calculates the days remaining. This is the second escalation level — if the 90-day warning was not acted on, this check provides an urgent reminder.

Why It Matters

At 30 days out, certificate renewal is no longer optional planning — it's an active priority. Certificate issuance can be delayed by domain validation issues, DNS propagation, or CA processing times. Waiting until the last week dramatically increases the risk of a lapse. A 30-day alert gives you time to troubleshoot any problems that arise during the renewal process.

For multi-domain or wildcard certificates, the renewal and installation process is more complex and typically requires coordination across teams. The 30-day window accommodates that coordination without pressure.

Good vs. Bad Configuration

Bad Configuration

The certificate for example.com expires in 22 days. The 90-day alert was dismissed, auto-renewal failed silently, and no one noticed until the 30-day check fired.

Good Configuration

The certificate for example.com was renewed at the 30-day mark. The new certificate is installed and the DNS Spy check now shows a validity period reset to 365 days, with the 30-day alert cleared.

How DNS Spy Monitors This

DNS Spy escalates from the 90-day warning to the 30-day warning automatically. When fewer than 30 days remain, a new alert is issued. Notifications are sent through all configured channels. Once the certificate is renewed and DNS Spy detects a new expiration date beyond 30 days, the alert is automatically resolved.