SSL checks
How DomainCare monitors SSL certificate expiry, chain validity, weak ciphers, and deprecated protocols.
SSL checks
The SSL check connects to your domain over TLS and inspects the certificate chain, expiry date, and the cipher suite and protocol negotiated. Problems are surfaced as alerts before they can affect visitors.
What the check inspects
Certificate chain — DomainCare verifies that the full chain from your leaf certificate up to a trusted root CA is valid and complete. A broken or missing intermediate certificate causes TLS handshake failures for some clients even when the leaf cert looks correct.
Expiry — The check reads the Not After field on the leaf certificate. DomainCare fires warning alerts at five thresholds before expiry so you have time to renew without rushing.
Protocols — DomainCare records the highest TLS protocol version your server accepts. SSLv3, TLS 1.0, and TLS 1.1 are deprecated and flagged as warnings.
Cipher suites — Weak or export-grade ciphers (e.g. RC4, DES, 3DES, NULL ciphers) are flagged separately from protocol warnings.
Expiry warning thresholds
| Days remaining | Alert fired | Severity |
|---|---|---|
| 60 days | ssl_cert_expiry_warning (first warning) | Low |
| 30 days | ssl_cert_expiry_warning (second warning) | Low |
| 15 days | ssl_cert_expiry_warning (urgent warning) | Needs attention |
| 7 days | ssl_cert_expiry_warning (critical warning) | Needs attention |
| 5 days | ssl_cert_expiry_warning (final warning) | Critical |
| 0 (expired) | ssl_cert_expired (failure) | Critical |
Alerts this check produces
| Event | Tone | When it fires |
|---|---|---|
ssl_cert_expired | Failure | Certificate has passed its Not After date |
ssl_cert_expiry_warning | Warning | Certificate expires within 60, 30, 15, 7, or 5 days |
ssl_validation_issue | Failure | Chain is invalid, hostname mismatch, or cert is self-signed |
ssl_weak_protocol_detected | Warning | Server accepts TLS 1.1 or older |
ssl_weak_cipher_detected | Warning | Server accepts a known-weak cipher suite |
ssl_recovered | Recovery | Certificate is valid again after a failure event |
ssl_certificate_renewed | Info | A new certificate with a later expiry replaced the previous one |
What to do when alerts fire
ssl_cert_expired
Your certificate has expired. Visitors will see a browser security warning and requests from services that enforce certificate validity will fail immediately.
- Renew the certificate through your CA or hosting provider.
- Deploy the new certificate.
- Verify the
ssl_recoveredalert arrives within a few minutes of deployment.
ssl_cert_expiry_warning
Your certificate expires soon. The 60-day warning gives you time to renew through an automated process (e.g. Let's Encrypt with certbot or cert-manager). For manually managed certificates, start the renewal at the 30-day warning at the latest.
ssl_validation_issue
Common causes:
- Hostname mismatch — the certificate's Common Name or SAN list does not include your domain. Check that the certificate covers both
example.comandwww.example.comif you serve both. - Missing intermediate — your server is not sending the full chain. Add the intermediate certificate bundle to your server configuration.
- Self-signed certificate — replace with a CA-issued certificate.
ssl_weak_protocol_detected
Disable TLS 1.0 and TLS 1.1 in your server configuration. Both nginx and Apache support ssl_protocols TLSv1.2 TLSv1.3; style directives.
ssl_weak_cipher_detected
Update your cipher suite string to exclude weak ciphers. The Mozilla SSL Configuration Generator at ssl-config.mozilla.org produces server-specific configurations rated Intermediate or Modern.