SSL Certificate Hell: Preventing Unplanned Outages at Scale
A single expired wildcard SSL certificate took down 40 production web applications. Here is how we automated certificate lifecycle monitoring.
βAt 8:00 AM on a Monday, 40 enterprise customer portals went down simultaneously with βNET::ERR_CERT_DATE_INVALIDβ. A wildcard SSL certificate had quietly expired over the weekend.β
In June 2016 at Wipro, an expired wildcard SSL certificate installed across multiple F5 BIG-IP LTM SSL profiles caused a massive application outage.
The Root Cause: Manual Tracking Failure
The certificate lifecycle had been tracked in a manual Excel spreadsheet. When the primary administrator left the company, the renewal notification email bounced.
- 40 Virtual Servers (VIPs) were bound to a single ClientSSL profile referencing the expired certificate.
- Browsers instantly blocked all incoming user traffic with security warnings.
[!IMPORTANT] Never rely on human memory or manual spreadsheets for TLS certificate renewal tracking.
The Solution: Automated Python Expiration Scanner
I wrote an automated Python scanner using OpenSSL to query all production F5 LTM VIPs and internal web endpoints weekly, sending alert notifications 60, 30, and 7 days prior to expiry.
# # Python TLS Certificate Expiration Inspector
import socket
import ssl
import datetime
def check_cert_expiry(hostname, port=443):
context = ssl.create_default_context()
with socket.create_connection((hostname, port)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
cert = ssock.getpeercert()
expiry_date = datetime.datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
days_left = (expiry_date - datetime.datetime.utcnow()).days
print(f"Host: {hostname} | Days Remaining: {days_left}")
check_cert_expiry("app.company.com")
The Verdict
Key Takeaway
Automate Public Key Infrastructure (PKI) Monitoring.
Treat TLS certificates as short-lived assets that must be monitored programmatically. Automating expiration scans prevents embarrassing, high-visibility application downtime.
Sachin Kumar Sharma
Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp
Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.