Skip to content
Last updated July 2, 2026

SSL Certs

The SSL Certs page is your single source of truth for every TLS certificate in your fleet — auto-discovered by the agent, ranked by expiry date, and one click away from a Let’s Encrypt renewal when eligible.

Open it from the sidebar under Monitoring → SSL Certs, or directly at /certificates.

The header carries four KPI cards:

  • Total certificates discovered across the fleet.
  • Valid — expires more than 14 days out.
  • Expiring soon — expires within the next 14 days.
  • Expired — already past the expiry date.

Below, the list is sorted by expiry ascending so the ones you have to worry about are always on top. For each certificate you see:

  • Domain — the common name or SAN the cert protects.
  • Server — the host it was discovered on.
  • Issuer — Let’s Encrypt, ZeroSSL, DigiCert, self-signed, etc.
  • Expires — absolute date plus “in X days” hint.
  • Status — valid / expiring / expired badge.
  • CDN badge — when the domain is fronted by a CDN (Cloudflare, Fastly, Akamai, Sucuri) we flag it because the origin cert visible here is not what your users actually see.

Filter by status via the tab bar: All, Valid, Expiring, Expired.

  • Renew — one-click renewal for eligible Let’s Encrypt certificates. HostAtlas sends a renew command to the agent, which runs certbot renew for that certificate. The result surfaces in the Activity feed.
  • Open server — jumps to the host that owns the certificate.
  • Open domain — jumps to the domain detail page if the domain is tracked in HostAtlas.

The agent walks the certificate stores on every discovery run — nginx and Apache vhosts, Postfix, Dovecot, HAProxy, and any explicit .crt/.pem paths configured on the host. For each certificate it captures the common name, SANs, issuer, and expiry, and pushes them to HostAtlas.

The expiry buckets are computed on every page load:

  • expires_at > now + 14 daysvalid.
  • expires_at between now and now + 14 daysexpiring soon.
  • expires_at < nowexpired.

Two alert types fire automatically through the Alert Rules engine:

  • Certificate expiring — 14 days before expiry.
  • Certificate expired — as soon as the expiry date passes.

Route them to Slack, email, PagerDuty, or any other configured channel.

For any Let’s Encrypt certificate the agent detects a valid certbot install, HostAtlas exposes the Renew action. The renewal:

  • Runs certbot renew scoped to the specific certificate.
  • Takes an automatic backup of the current cert and key before touching anything.
  • Rolls back on failure so the site keeps serving the old (still valid) cert.
  • Refreshes the discovery data on completion so the new expiry appears on the list.

Renewal is available on Pro and above.

  • Domains — the domain inventory the agent auto-discovers from vhosts.
  • Monitors — enable SSL check on a URL monitor to also probe validity from outside your network.
  • Recipes — for bulk renewal or issuing new certificates across many hosts.
Was this page helpful?