{"id":39265,"date":"2025-06-15T13:52:29","date_gmt":"2025-06-15T13:52:29","guid":{"rendered":"https:\/\/ramsdata.com.pl\/lets-encrypt-certificate-monitoring-with-checkmk-a-complete-solution-for-administrators\/"},"modified":"2025-06-15T13:52:29","modified_gmt":"2025-06-15T13:52:29","slug":"lets-encrypt-certificate-monitoring-with-checkmk-a-complete-solution-for-administrators","status":"publish","type":"post","link":"https:\/\/ramsdata.com.pl\/en\/lets-encrypt-certificate-monitoring-with-checkmk-a-complete-solution-for-administrators\/","title":{"rendered":"Let&#8217;s Encrypt certificate monitoring with Checkmk &#8211; a complete solution for administrators"},"content":{"rendered":"<p data-start=\"99\" data-end=\"678\">In a world where SSL certificates are expiring faster and faster, and automation is no longer a luxury, but a necessity &#8211; <strong data-start=\"214\" data-end=\"264\">monitoring the status of Let&#8217;s Encrypt certificates<\/strong> is becoming crucial for any organization. While it may seem that a simple script would suffice for such a simple function, it is worth betting on a more powerful tool like <a class=\"\" href=\"https:\/\/ramsdata.com.pl\/checkmk\/\" target=\"_new\" rel=\"noopener\" data-start=\"446\" data-end=\"489\">Checkmk<\/a>. It&#8217;s a full-featured, easy to configure and free in the basic version, which will allow you not only to track the status of certificates, but also the health of the entire infrastructure.  <\/p>\n<h3 data-start=\"680\" data-end=\"705\">Key findings<\/h3>\n<ul data-start=\"707\" data-end=\"1338\">\n<li data-start=\"707\" data-end=\"830\">\n<p data-start=\"709\" data-end=\"830\"><strong data-start=\"709\" data-end=\"720\">Checkmk<\/strong> offers quick monitoring of Let&#8217;s Encrypt certificates without the need to install an agent on each machine.<\/p>\n<\/li>\n<li data-start=\"831\" data-end=\"964\">\n<p data-start=\"833\" data-end=\"964\">Ability to automate configuration and precise email alerts when a certificate is about to expire.<\/p>\n<\/li>\n<li data-start=\"965\" data-end=\"1099\">\n<p data-start=\"967\" data-end=\"1099\"><a class=\"\" href=\"https:\/\/ramsdata.com.pl\/checkmk\/\" target=\"_new\" rel=\"noopener\" data-start=\"967\" data-end=\"1010\">Checkmk<\/a> can be run on a small VPS machine or locally &#8211; even as a side application on a NAS.<\/p>\n<\/li>\n<li data-start=\"1100\" data-end=\"1226\">\n<p data-start=\"1102\" data-end=\"1226\">With a system of rules and folders, users can centrally manage all certificates and hosts from a single console.<\/p>\n<\/li>\n<li data-start=\"1227\" data-end=\"1338\">\n<p data-start=\"1229\" data-end=\"1338\">The system avoids false alarms by using soft\/hard states.<\/p>\n<\/li>\n<\/ul>\n<h2 data-start=\"1340\" data-end=\"1354\">Table of contents<\/h2>\n<ol data-start=\"1356\" data-end=\"1764\">\n<li data-start=\"1356\" data-end=\"1412\">\n<p data-start=\"1359\" data-end=\"1412\">Why monitor Let&#8217;s Encrypt certificates?<\/p>\n<\/li>\n<li data-start=\"1413\" data-end=\"1456\">\n<p data-start=\"1416\" data-end=\"1456\">What is Checkmk and which edition should I choose?<\/p>\n<\/li>\n<li data-start=\"1457\" data-end=\"1492\">\n<p data-start=\"1460\" data-end=\"1492\">Checkmk installation step by step<\/p>\n<\/li>\n<li data-start=\"1493\" data-end=\"1556\">\n<p data-start=\"1496\" data-end=\"1556\">Create certificate monitoring &#8211; folders, hosts and rules<\/p>\n<\/li>\n<li data-start=\"1557\" data-end=\"1601\">\n<p data-start=\"1560\" data-end=\"1601\">Email notifications and testing alerts<\/p>\n<\/li>\n<li data-start=\"1602\" data-end=\"1648\">\n<p data-start=\"1605\" data-end=\"1648\">Optimization and avoidance of false alarms<\/p>\n<\/li>\n<li data-start=\"1649\" data-end=\"1702\">\n<p data-start=\"1652\" data-end=\"1702\">Additional options &#8211; check_httpv2 and multiple hostnames<\/p>\n<\/li>\n<li data-start=\"1703\" data-end=\"1748\">\n<p data-start=\"1706\" data-end=\"1748\">What will the future of SSL certificates bring?<\/p>\n<\/li>\n<li data-start=\"1749\" data-end=\"1764\">\n<p data-start=\"1752\" data-end=\"1764\">Summary<\/p>\n<\/li>\n<\/ol>\n<h2 data-start=\"1766\" data-end=\"1822\">Why monitor Let&#8217;s Encrypt certificates?<\/h2>\n<p data-start=\"1824\" data-end=\"2187\">SSL certificates are the cornerstone of Internet security today. However, Let&#8217;s Encrypt works differently than traditional issuers &#8211; their certificates are only valid for 90 days. With automated renewal, any failure can result in a site being unavailable. By monitoring certificates, we can detect a failure in advance and avoid downtime or an image crisis.   <\/p>\n<h2 data-start=\"2189\" data-end=\"2232\">What is Checkmk and which edition should I choose?<\/h2>\n<p data-start=\"2234\" data-end=\"2342\"><a class=\"\" href=\"https:\/\/ramsdata.com.pl\/checkmk\/\" target=\"_new\" rel=\"noopener\" data-start=\"2234\" data-end=\"2277\">Checkmk<\/a> is a powerful monitoring tool available in two versions:<\/p>\n<ul data-start=\"2343\" data-end=\"2535\">\n<li data-start=\"2343\" data-end=\"2429\">\n<p data-start=\"2345\" data-end=\"2429\"><strong data-start=\"2345\" data-end=\"2360\">Checkmk Raw<\/strong> &#8211; a free open source version, ideal for technical users.<\/p>\n<\/li>\n<li data-start=\"2430\" data-end=\"2535\">\n<p data-start=\"2432\" data-end=\"2535\"><strong data-start=\"2432\" data-end=\"2449\">Checkmk Cloud<\/strong> &#8211; a commercial version with improved performance and easier configuration of email alerts.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2537\" data-end=\"2696\">For most users, the Cloud version will be more convenient &#8211; after 30 days it automatically switches to free mode with less than 750 monitored services.<\/p>\n<h2 data-start=\"2698\" data-end=\"2733\">Checkmk installation step by step<\/h2>\n<p data-start=\"2735\" data-end=\"2993\">All you need to do is download the <code data-start=\"2759\" data-end=\"2765\">.deb<\/code> package tailored to your Linux distribution, update the packages and install Checkmk. The system is based on &#8220;sites&#8221;, i.e. monitoring instances &#8211; they allow you to safely test without risking damage to your entire configuration. <\/p>\n<p data-start=\"2995\" data-end=\"3022\">Creating the first page:<\/p>\n<div class=\"contain-inline-size rounded-2xl relative bg-token-sidebar-surface-primary\">\n<div class=\"flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between h-9 bg-token-sidebar-surface-primary select-none rounded-t-2xl\">bash<\/div>\n<div class=\"sticky top-9\">\n<div class=\"absolute end-0 bottom-0 flex h-9 items-center pe-2\">\n<div class=\"bg-token-bg-elevated-secondary text-token-text-secondary flex items-center gap-4 rounded-sm px-2 font-sans text-xs\"><button class=\"flex gap-1 items-center select-none py-1\" aria-label=\"Kopiuj\">Copy<\/button><span class=\"\" data-state=\"closed\"><button class=\"flex items-center gap-1 py-1 select-none\">Edit<\/button><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"overflow-y-auto p-4\" dir=\"ltr\"><code class=\"whitespace-pre! language-bash\">omd create my1stcheckmk<br \/>\nomd su my1stcheckmk<br \/>\ncmk-passwd cmkadmin<br \/>\nomd start<br \/>\n<\/code><\/div>\n<\/div>\n<p data-start=\"3111\" data-end=\"3190\">After installation, from your browser you can already log in as <code data-start=\"3179\" data-end=\"3189\">cmkadmin<\/code>.<\/p>\n<h2 data-start=\"3192\" data-end=\"3255\">Create certificate monitoring &#8211; folders, hosts and rules<\/h2>\n<p data-start=\"3257\" data-end=\"3501\">Start by creating a folder, e.g. &#8220;letsencrypt&#8221;, where you will put hosts monitored only by active checks (that is, without installing an agent). You can add hosts manually or import them via CSV (even by pasting hostnames).  <\/p>\n<p data-start=\"3503\" data-end=\"3761\">After adding hosts, create a new &#8220;Check certificates&#8221; rule under <strong data-start=\"3533\" data-end=\"3550\">Setup &gt; Rules<\/strong>. Set, for example, 22 days as the warning threshold and assign the rule to the letsencrypt folder. Within minutes, the system will check the validity of each SSL certificate for the added hosts.  <\/p>\n<h2 data-start=\"3763\" data-end=\"3807\">Email notifications and testing alerts<\/h2>\n<p data-start=\"3809\" data-end=\"4188\">Well-configured notifications are the basis for effective monitoring. The Raw version requires MTA configuration (e.g. Nullmailer), while <a class=\"\" href=\"https:\/\/ramsdata.com.pl\/checkmk\/\" target=\"_new\" rel=\"noopener\" data-start=\"3945\" data-end=\"3994\">Checkmk Cloud<\/a> allows you to send notifications directly through smarthost. You can assign an email address to a user in the Everything group and test the performance of alerts using the &#8220;Test notifications&#8221; function.  <\/p>\n<h2 data-start=\"4190\" data-end=\"4236\">Optimization and avoidance of false alarms<\/h2>\n<p data-start=\"4238\" data-end=\"4459\">To avoid a deluge of e-mails when there is a momentary degradation of service, you can set <strong data-start=\"4321\" data-end=\"4347\">soft and hard states<\/strong> (e.g., three attempts to check before sending a notification). This keeps the system vigilant without overdoing it. <\/p>\n<h2 data-start=\"4461\" data-end=\"4514\">Additional options &#8211; check_httpv2 and multiple hostnames<\/h2>\n<p data-start=\"4516\" data-end=\"4694\">The basic certificate check performs only the SSL handshake. If you want to check more (e.g. HTTP response codes, redirects, page content), use check_httpv2. <\/p>\n<p data-start=\"4696\" data-end=\"4858\">For certificates containing multiple alternative names (SANs), create a separate host for each domain and add them all to the letsencrypt folder.<\/p>\n<h2 data-start=\"4860\" data-end=\"4905\">What will the future of SSL certificates bring?<\/h2>\n<p data-start=\"4907\" data-end=\"5208\">Until 2029, browsers will accept certificates with a maximum validity period of 47 days. As early as March 2025, the limit is 100 days, and <a class=\"\" href=\"https:\/\/ramsdata.com.pl\/checkmk\/\" target=\"_new\" rel=\"noopener\" data-start=\"5043\" data-end=\"5092\">Let&#8217;s Encrypt<\/a> plans to issue certificates for 6 days. That means: <strong data-start=\"5143\" data-end=\"5207\">only efficient monitoring and automation will save your uptime<\/strong>.  <\/p>\n<h2 data-start=\"5210\" data-end=\"5225\">Summary<\/h2>\n<p data-start=\"5227\" data-end=\"5492\">Implementing SSL certificate monitoring from <a class=\"\" href=\"https:\/\/ramsdata.com.pl\/checkmk\/\" target=\"_new\" rel=\"noopener\" data-start=\"5268\" data-end=\"5311\">Checkmk<\/a> is an investment that will quickly pay off. In addition to monitoring Let&#8217;s Encrypt, the tool also allows you to analyze performance, disk usage, hardware health or database performance. <\/p>\n<p data-start=\"5494\" data-end=\"5595\" data-is-last-node=\"\" data-is-only-node=\"\">Don&#8217;t wait for your certificate to expire. Contact us and learn more about CheckMK solutions! <\/p>\n<p data-start=\"5494\" data-end=\"5595\" data-is-last-node=\"\" data-is-only-node=\"\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter size-full wp-image-39251\" src=\"https:\/\/ramsdata.com.pl\/wp-content\/uploads\/2025\/07\/ramsdata-2.jpg\" alt=\"Let's Encrypt certificate monitoring with Checkmk - a complete solution for administrators\" width=\"1725\" height=\"1125\" srcset=\"https:\/\/ramsdata.com.pl\/wp-content\/uploads\/2025\/07\/ramsdata-2.jpg 1725w, https:\/\/ramsdata.com.pl\/wp-content\/uploads\/2025\/07\/ramsdata-2-300x196.jpg 300w, https:\/\/ramsdata.com.pl\/wp-content\/uploads\/2025\/07\/ramsdata-2-1024x668.jpg 1024w, https:\/\/ramsdata.com.pl\/wp-content\/uploads\/2025\/07\/ramsdata-2-768x501.jpg 768w, https:\/\/ramsdata.com.pl\/wp-content\/uploads\/2025\/07\/ramsdata-2-1536x1002.jpg 1536w\" sizes=\"(max-width: 1725px) 100vw, 1725px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a world where SSL certificates are expiring faster and faster, and automation is no longer a luxury, but a necessity &#8211; monitoring the status of Let&#8217;s Encrypt certificates is becoming crucial for any organization. While it may seem that a simple script would suffice for such a simple function, it is worth betting on [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":39252,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[56],"tags":[],"class_list":["post-39265","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-en"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/posts\/39265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/comments?post=39265"}],"version-history":[{"count":0,"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/posts\/39265\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/media\/39252"}],"wp:attachment":[{"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/media?parent=39265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/categories?post=39265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ramsdata.com.pl\/en\/wp-json\/wp\/v2\/tags?post=39265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}