Skip to content

SSL Certificate Expiry Tracker

Example prompt: "Check our domains for SSL certificates getting close to expiry, and if the owner has not already started a renewal, chase the right team well before anything is at risk of going down."

The Problem

An expired SSL certificate takes a customer-facing site offline within minutes of midnight on the day it lapses, and the alert almost always comes from a customer rather than from monitoring. Smaller IT teams track certificate renewals in a spreadsheet that nobody opens between renewals, and the ones that auto-renew through the hosting provider quietly fail when a billing card is replaced or DNS validation is missed. By the time the alert lands, the renewal team needs an hour at minimum and the site is already off.

How GloriaMundo Solves It

We build a workflow that runs every morning. A code step reads the list of tracked domains from a Google Sheet, opens a TLS connection to each one, and pulls the notAfter date from the certificate. A conditional step bands the result — anything inside 60 days is interesting, anything inside 30 days is a chase, anything inside 7 days is an escalation. For domains in the chase or escalation band, an integration step looks up the certificate owner in the same sheet, raises a Jira ticket against them if one is not already open, and posts a short note in the #it-infra channel on Slack with the domain, the expiry date, and the assigned owner. An LLM step drafts the body of the Jira ticket — what the domain is for, what is on it, where the cert was last renewed, and the steps the owner usually takes to renew. Glass Box preview shows the band each domain falls into, the open-ticket check, and the drafted ticket bodies before anything is raised.

Example Workflow Steps

  1. Trigger (scheduled): Every morning at 08:00.
  2. Step 1 (integration): Read the tracked-domains sheet from Google Sheets — domain, owner, ticket queue, last-renewal date, notes.
  3. Step 2 (code): For each domain, open a TLS connection, read the certificate, and record the notAfter date and issuer.
  4. Step 3 (conditional): Band each domain by days-to-expiry — over 60 (skip), 30-60 (watch), 7-30 (chase), under 7 (escalate).
  5. Step 4 (integration): For domains in the chase or escalate band, check Jira for an open renewal ticket already assigned to the owner; if one exists, record the link and skip.
  6. Step 5 (LLM): For each remaining domain, draft a renewal ticket body — domain purpose, current expiry, last-renewal date, the steps the owner usually takes, and the band (chase or escalate).
  7. Step 6 (integration): Raise the Jira ticket against the certificate owner, with the band reflected in the ticket priority.
  8. Step 7 (integration): Post a single summary in #it-infra on Slack listing every domain in the chase and escalate bands, with the Jira link for each.

Integrations Used

  • Google Sheets — the tracked-domains register with owner, ticket queue, and renewal history
  • Jira — where the renewal ticket gets raised against the certificate owner
  • Slack — the morning summary in #it-infra so the IT lead sees the queue at a glance

Who This Is For

Small IT and infrastructure teams responsible for a handful to a few hundred public-facing domains, where renewal is owned by different teams (marketing for the brand sites, engineering for the API domains, finance for the billing subdomain) and the only thing the IT lead wants is to know which renewals are in flight and which are not.

Time & Cost Saved

Reading a TLS certificate and checking an open-ticket register takes seconds per domain, so the workflow comfortably covers a few hundred domains in a single morning run. The saving is not in the technician time — that was perhaps an hour a quarter — but in avoiding the cost of an outage caused by an expired cert, which on a customer-facing site routinely runs into thousands of pounds of revenue lost per hour plus the support and reputation cost of the public failure.