SSL / TLS Monitoring

As well as monitoring your website to ensure it responds successfully, we also continuously monitor SSL certificates. On each check, we ensure that the certificate presented would be trusted by browsers. If there is an error in this verification, we treat your website as down.

Types of certificate errors

Certificate Expired

This means the SSL certificate has expired. You can view the date the certificate expired in the details on WatchSumo.

Wrong Hostname

This means the SSL certificate does not have a Subject or Subject Alternative Name (SAN) matching the hostname.

Self-signed Certificate

Self-signed certificates are an easy way to test SSL, but should not be used for production (even for internal-use) applications. You can get free SSL certificates from Let's Encrypt. If you really want to keep doing this, you can disable SSL monitoring for this website and we won't treat this as an error again.

Untrusted CA

The certificate was signed by a Certificate Authority (CA) that would not be recognised by browsers. This may be a false-positive if the certificate is signed by an internal CA, where the CA certificate is distributed to all computers within the network. If this is the case, you can disable SSL monitoring for this website.

Incomplete Chain

This error means the server presented a SSL certificate with an incomplete (partial) chain. This means there is a configuration error in the web server. Most web browsers will fetch the missing certificates, not treat this as an error. However if the URL is for an API, a lot of HTTP clients are not able to do this, so will be unable to make a request without disabling SSL verification (which is a security risk).

Expiry notices

We will email you 30, 14, 7 and 3 days before a certificate expires. We do this for all certificates that are actively used (meaning we've seen it at least once in the past 36 hours), so if you have a fleet of servers that have certificates due to expire, you don't need to worry about missing one.