How to monitor HTTPS certificate expiry with Nagios Core

A website can keep answering requests while its TLS certificate is close to the Not After date that will make clients reject the connection. Adding a dedicated Nagios Core service check gives certificate renewal its own warning and critical states instead of hiding it inside a general HTTPS availability check.

The check_http plugin can run in certificate mode with -C. In that mode it connects to the TLS listener, reads the served certificate, and returns OK, WARNING, or CRITICAL from the remaining day count. Test the installed plugin before changing command definitions because certificate-mode options can vary between packaged plugin builds.

The sample object uses the Ubuntu and Debian package layout with /usr/lib/nagios/plugins, /etc/nagios4/conf.d, and the nagios4 service. check_http -C is an expiry check, not a full certificate trust audit, so pair it with a separate chain or hostname-coverage review when the renewal handoff needs evidence beyond the number of days remaining.

Steps to monitor HTTPS certificate expiry with Nagios Core:

Run the certificate check as the nagios user from the Nagios server.
```
$ sudo -u nagios /usr/lib/nagios/plugins/check_http \
    -H www.example.net \
    -p 443 \
    --sni \
    -C 30,14
OK - Certificate 'www.example.net' will expire on Sat Sep 19 00:51:00 2026 +0000.
```
-H names the HTTPS host, and --sni sends that name during TLS negotiation. Add -I only when the TCP address differs from the certificate hostname.

Related: How to run a Nagios plugin manually

Test the warning threshold with a temporary value higher than the remaining lifetime reported by the first check.

$ sudo -u nagios /usr/lib/nagios/plugins/check_http \
    -H www.example.net \
    -p 443 \
    --sni \
    -C 120,60
WARNING - Certificate 'www.example.net' expires in 88 day(s) (Sat Sep 19 00:51:00 2026 +0000).

The first value after -C is the warning threshold in days.

Test the critical threshold with a temporary critical value higher than the remaining lifetime reported by the first check.
```
$ sudo -u nagios /usr/lib/nagios/plugins/check_http \
    -H www.example.net \
    -p 443 \
    --sni \
    -C 120,100
CRITICAL - Certificate 'www.example.net' expires in 88 day(s) (Sat Sep 19 00:51:00 2026 +0000).
```
The second value after the comma is the critical threshold in days. Return to production thresholds before saving the service object.
Create a Nagios object file for the HTTPS certificate check.
```
$ sudoedit /etc/nagios4/conf.d/https-certificate-monitor.cfg
```
Use an existing host object when web01.example.net is already defined, or create the host first before adding the service.
Related: How to add a host in Nagios Core

Add the host, command, and service objects.

define host {
    use                     linux-server
    host_name               web01.example.net
    alias                   Public website
    address                 www.example.net
}
 
define command {
    command_name            check_https_certificate
    command_line            $USER1$/check_http -H $HOSTADDRESS$ -p $ARG1$ --sni -C $ARG2$,$ARG3$
}
 
define service {
    use                     generic-service
    host_name               web01.example.net
    service_description     HTTPS Certificate
    check_command           check_https_certificate!443!30!14
    check_interval          720
    retry_interval          60
    max_check_attempts      2
    notification_interval   720
}

With the default interval_length of 60 seconds, check_interval 720 checks every 12 hours. $USER1$ is the standard plugin-directory macro on Nagios Core installs. Adjust the interval and notification timing to match the renewal policy for the site.

Validate the Nagios configuration before reloading the service.

$ sudo nagios4 -v /etc/nagios4/nagios.cfg
Nagios Core 4.4.6
##### snipped #####
Total Warnings: 0
Total Errors:   0

Things look okay - No serious problems were detected during the pre-flight check

Reload the nagios4 service to apply the new object file.
```
$ sudo systemctl reload nagios4
```
Related: How to manage the Nagios Core system service
Confirm that the nagios4 service stayed active after the reload.
```
$ sudo systemctl is-active nagios4
active
```
Related: How to manage the Nagios Core system service
Run the production threshold command again as a final smoke test.
```
$ sudo -u nagios /usr/lib/nagios/plugins/check_http \
    -H www.example.net \
    -p 443 \
    --sni \
    -C 30,14
OK - Certificate 'www.example.net' will expire on Sat Sep 19 00:51:00 2026 +0000.
```
If the web UI still shows Pending for HTTPS Certificate, force a service check or wait for the next scheduled interval.
Related: How to reschedule an active check in Nagios Core

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.