Ops & Monitoring · n8n

SSL & Domain Expiry Guard: never lose a weekend to a certificate that expired at 2 AM

An n8n workflow that checks the SSL certificate and domain expiry dates for every domain you own, once a day, and warns you at 30, 14, 7, and 1 day(s) before anything lapses — the boring automation that prevents the most embarrassing outage there is.

difficulty Beginnersetup 15 minresult Certificate and domain renewals stop being memory-dependent
  1. 1

    List your domains once

    A sheet with domain, expiry_override (optional), and last_alerted_at_days. Every domain you'd be embarrassed to lose goes in — including the redirect domains and the side project you half-forgot.

  2. 2

    Daily certificate check

    A Schedule Trigger (07:00) loops domains through an HTTP Request to https://{domain} with full-response mode; a Code node reads the certificate's valid_to date from the connection info and computes days remaining.

  3. 3

    Daily registration check

    A second HTTP Request per domain hits https://rdap.org/domain/{domain} and the Code node extracts the expiration event. Override column wins when present. Both numbers land in the same per-domain record.

  4. 4

    Warn on the countdown

    An IF cascade alerts at 30/14/7/1 days (deduped via last_alerted_at_days so you get each threshold once): ⚠️ SSL for shop.example.com expires in 7 days / 🔴 DOMAIN example.co expires TOMORROW. The 1-day alert also fires every day past expiry until fixed — annoying by design.

Frequently asked questions

Doesn't Let's Encrypt auto-renew anyway?

When the renewal cron works, yes. The guard exists for when it silently doesn't — a changed DNS record, a moved server, a firewall rule blocking the challenge. Auto-renew failing quietly plus nobody checking is exactly how sites go down with 'connection not private' errors. This is the check on the automation.

How does it check domain expiry without registrar access?

Via RDAP — the successor to WHOIS with clean JSON output (rdap.org fronts most TLDs, free, no key). Some country TLDs don't expose expiry via RDAP; for those, the sheet has a manual `expiry_override` column you fill once a year from your registrar panel, and the alerts work the same.

What about the SSL check — does it need anything installed?

No — an HTTPS request to your own domain returns the certificate metadata, and the workflow reads the valid-until date from it. Works from n8n cloud or self-hosted, no openssl scripting, no agents on your servers.

About this recipe. Recipes on FlowRecipesHub are written for business owners, not developers, and are tested before publishing — how recipes get made. Some ingredient links are affiliate links that cost you nothing — full disclosure.