SSL Certs
The SSL Certs page is your single source of truth for every TLS certificate in your fleet — auto-discovered by the agent, ranked by expiry date, and one click away from a Let’s Encrypt renewal when eligible.
Open it from the sidebar under Monitoring → SSL Certs, or directly at /certificates.
What you see
Section titled “What you see”The header carries four KPI cards:
- Total certificates discovered across the fleet.
- Valid — expires more than 14 days out.
- Expiring soon — expires within the next 14 days.
- Expired — already past the expiry date.
Below, the list is sorted by expiry ascending so the ones you have to worry about are always on top. For each certificate you see:
- Domain — the common name or SAN the cert protects.
- Server — the host it was discovered on.
- Issuer — Let’s Encrypt, ZeroSSL, DigiCert, self-signed, etc.
- Expires — absolute date plus “in X days” hint.
- Status — valid / expiring / expired badge.
- CDN badge — when the domain is fronted by a CDN (Cloudflare, Fastly, Akamai, Sucuri) we flag it because the origin cert visible here is not what your users actually see.
Filter by status via the tab bar: All, Valid, Expiring, Expired.
What you can do
Section titled “What you can do”- Renew — one-click renewal for eligible Let’s Encrypt certificates. HostAtlas sends a
renewcommand to the agent, which runscertbot renewfor that certificate. The result surfaces in the Activity feed. - Open server — jumps to the host that owns the certificate.
- Open domain — jumps to the domain detail page if the domain is tracked in HostAtlas.
How it works
Section titled “How it works”The agent walks the certificate stores on every discovery run — nginx and Apache vhosts, Postfix, Dovecot, HAProxy, and any explicit .crt/.pem paths configured on the host. For each certificate it captures the common name, SANs, issuer, and expiry, and pushes them to HostAtlas.
The expiry buckets are computed on every page load:
expires_at > now + 14 days→ valid.expires_at between now and now + 14 days→ expiring soon.expires_at < now→ expired.
Two alert types fire automatically through the Alert Rules engine:
- Certificate expiring — 14 days before expiry.
- Certificate expired — as soon as the expiry date passes.
Route them to Slack, email, PagerDuty, or any other configured channel.
Let’s Encrypt integration
Section titled “Let’s Encrypt integration”For any Let’s Encrypt certificate the agent detects a valid certbot install, HostAtlas exposes the Renew action. The renewal:
- Runs
certbot renewscoped to the specific certificate. - Takes an automatic backup of the current cert and key before touching anything.
- Rolls back on failure so the site keeps serving the old (still valid) cert.
- Refreshes the discovery data on completion so the new expiry appears on the list.
Renewal is available on Pro and above.