Solution · Expiry watch

The certificate that expired in production happens to other people.

Engager checks TLS certificate expiry and WHOIS domain registration expiry on every host you operate. Three escalation tiers, configurable per host, surfaced in every status digest, paged when the deadline gets close.

30d

Warning starts

Default, tunable

7d

Escalation

Bumps to critical kind

1d

Final page

Sustained across channels

WHOIS

Domain expiry

Independent of TLS

Two clocks

The cert clock and the registration clock are different.

A TLS certificate from Let's Encrypt expires every ninety days and renews automatically. A domain registration expires every one to ten years and never renews automatically.

Engager watches both. The dashboard shows both in the same row. The report flags both with their own escalation tiers.

Cert · Registration

Two timelines, one row

Three tiers

Warning, escalation, critical.

At thirty days, a soft warning lands in the next status digest. At seven days, the kind is bumped to critical and lands on the on call channel. At one day, the bypass fires through quiet hours.

Each threshold is tunable per host. A staging cert at three days is normal. A prod cert at three days is a fire.

30 · 7 · 1

Three tiers, three escalations

What every probe checks

More than the days remaining.

Days remaining

Calendar precise. Reports show the absolute date and the integer day count.

Protocol version

TLS 1.3 by default. Anything older surfaces as a security event.

Cipher strength

Weak suites flagged in the security headers panel of every report.

WHOIS registration

Domain expiry checked daily. Auto renew unreliable on the legacy registrars.

HSTS preload

Preloaded hosts surfaced explicitly. Useful when pruning the security review.

Chain validation

Full chain walked. An incomplete chain is an outage on Safari before any other browser.

  • Lockdown overrides

    Pause a host during a controlled cutover. Engager remembers, and resumes on schedule.

  • Per host warn windows

    Set 60 days on the contractual hosts, 30 on staging, 14 on the personal blog.

  • Never silent

    Even when nothing is wrong, the status digest shows the next host in line. The number is in front of you, every report.

Make the cert renewal a non event.

Add a host