Ramsdata

+48 22 671 24 89

kontakt@ramsdata.com.pl

logo.png
CONTACT

Let’s Encrypt certificate monitoring with Checkmk – a complete solution for administrators

In a world where SSL certificates are expiring faster and faster, and automation is no longer a luxury, but a necessity – monitoring the status of Let’s Encrypt certificates is becoming crucial for any organization. While it may seem that a simple script would suffice for such a simple function, it is worth betting on a more powerful tool like Checkmk. It’s a full-featured, easy to configure and free in the basic version, which will allow you not only to track the status of certificates, but also the health of the entire infrastructure.

Key findings

  • Checkmk offers quick monitoring of Let’s Encrypt certificates without the need to install an agent on each machine.

  • Ability to automate configuration and precise email alerts when a certificate is about to expire.

  • Checkmk can be run on a small VPS machine or locally – even as a side application on a NAS.

  • With a system of rules and folders, users can centrally manage all certificates and hosts from a single console.

  • The system avoids false alarms by using soft/hard states.

Table of contents

  1. Why monitor Let’s Encrypt certificates?

  2. What is Checkmk and which edition should I choose?

  3. Checkmk installation step by step

  4. Create certificate monitoring – folders, hosts and rules

  5. Email notifications and testing alerts

  6. Optimization and avoidance of false alarms

  7. Additional options – check_httpv2 and multiple hostnames

  8. What will the future of SSL certificates bring?

  9. Summary

Why monitor Let’s Encrypt certificates?

SSL certificates are the cornerstone of Internet security today. However, Let’s Encrypt works differently than traditional issuers – their certificates are only valid for 90 days. With automated renewal, any failure can result in a site being unavailable. By monitoring certificates, we can detect a failure in advance and avoid downtime or an image crisis.

What is Checkmk and which edition should I choose?

Checkmk is a powerful monitoring tool available in two versions:

  • Checkmk Raw – a free open source version, ideal for technical users.

  • Checkmk Cloud – a commercial version with improved performance and easier configuration of email alerts.

For most users, the Cloud version will be more convenient – after 30 days it automatically switches to free mode with less than 750 monitored services.

Checkmk installation step by step

All you need to do is download the .deb package tailored to your Linux distribution, update the packages and install Checkmk. The system is based on “sites”, i.e. monitoring instances – they allow you to safely test without risking damage to your entire configuration.

Creating the first page:

bash
omd create my1stcheckmk
omd su my1stcheckmk
cmk-passwd cmkadmin
omd start

After installation, from your browser you can already log in as cmkadmin.

Create certificate monitoring – folders, hosts and rules

Start by creating a folder, e.g. “letsencrypt”, where you will put hosts monitored only by active checks (that is, without installing an agent). You can add hosts manually or import them via CSV (even by pasting hostnames).

After adding hosts, create a new “Check certificates” rule under Setup > Rules. Set, for example, 22 days as the warning threshold and assign the rule to the letsencrypt folder. Within minutes, the system will check the validity of each SSL certificate for the added hosts.

Email notifications and testing alerts

Well-configured notifications are the basis for effective monitoring. The Raw version requires MTA configuration (e.g. Nullmailer), while Checkmk Cloud allows you to send notifications directly through smarthost. You can assign an email address to a user in the Everything group and test the performance of alerts using the “Test notifications” function.

Optimization and avoidance of false alarms

To avoid a deluge of e-mails when there is a momentary degradation of service, you can set soft and hard states (e.g., three attempts to check before sending a notification). This keeps the system vigilant without overdoing it.

Additional options – check_httpv2 and multiple hostnames

The basic certificate check performs only the SSL handshake. If you want to check more (e.g. HTTP response codes, redirects, page content), use check_httpv2.

For certificates containing multiple alternative names (SANs), create a separate host for each domain and add them all to the letsencrypt folder.

What will the future of SSL certificates bring?

Until 2029, browsers will accept certificates with a maximum validity period of 47 days. As early as March 2025, the limit is 100 days, and Let’s Encrypt plans to issue certificates for 6 days. That means: only efficient monitoring and automation will save your uptime.

Summary

Implementing SSL certificate monitoring from Checkmk is an investment that will quickly pay off. In addition to monitoring Let’s Encrypt, the tool also allows you to analyze performance, disk usage, hardware health or database performance.

Don’t wait for your certificate to expire. Contact us and learn more about CheckMK solutions!

Let's Encrypt certificate monitoring with Checkmk - a complete solution for administrators

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!