Home/Runbooks/SSL Expiry
Medium

SSL Certificate Renewal

Expiring SSL certs cause instant trust failures. OnCallReady detects certs within the renewal window, triggers ACME/Let's Encrypt renewal, deploys the new cert, and reloads the web server — zero downtime, zero human involvement.

Avg Resolution
19s
Severity
Medium
Success Rate
99%
Humans Paged
0

Trigger Conditions

/ssl.*(expir|renew|certif|invalid|expire[sd]?)/i

Fires on SSL/TLS certificate alerts indicating upcoming or current expiration. Typical triggers: "SSL certificate expiring in 7 days for api.example.com", "Certificate expired on prod-lb-01", "TLS cert renewal required". Catches both proactive warnings and post-expiry failures.

What the Agent Does

1

Verify certificate status

Connects directly to the domain and checks the current cert's expiry date, issuer, and SANs. Confirms which specific domain(s) need renewal.

2

Trigger ACME certificate renewal

Invokes certbot or the configured ACME client with the appropriate challenge method (HTTP-01 or DNS-01). Handles wildcard certs via DNS challenge when configured.

3

Deploy new certificate

Copies renewed certificate and key to the configured deployment path. Updates symlinks for zero-downtime swap. Maintains backup of prior cert for rollback.

4

Reload web server

Sends SIGHUP (graceful reload) to nginx, apache, or haproxy. Existing connections are not dropped. New connections immediately use the renewed certificate.

5

Verify TLS handshake

Performs a TLS verification check against the live domain. Confirms new cert is being served, expiry is 90 days out, and no mixed-content or chain errors exist.

Example Incident Log

incident-4977 · ssl-expiry · api.example.com
[09:00:03] ALERT SSL certificate expiring in 6 days for api.example.com
[09:00:03] Matched runbook: ssl-expiry
[09:00:04] Verifying certificate: api.example.com:443
[09:00:05] Current cert expires: 2026-06-04 · Issuer: Let's Encrypt
[09:00:05] Initiating ACME renewal (HTTP-01 challenge)
[09:00:11] Challenge completed · New cert issued (expires 2026-09-01)
[09:00:12] Deploying to /etc/letsencrypt/live/api.example.com/
[09:00:13] Cert deployed · Previous cert backed up
[09:00:13] Reloading nginx (SIGHUP)
[09:00:15] nginx reloaded · 0 connections dropped
[09:00:16] Verifying TLS handshake...
[09:00:22] ✓ RESOLVED Cert valid · Expires 94 days · Duration: 19s
[09:00:22] On-call team: undisturbed. Certificate renewed automatically.

Never manually renew a certificate again

OnCallReady handles SSL expiry automatically — proactively, before users see errors.

See it live → ← All runbooks