Runbook — TLSCertExpiring30d
TLSCertExpiring30d
Severity
Section titled “Severity”warning
Audience
Section titled “Audience”ops
Phase 30.2 / KAN-292
What this alert will do
Section titled “What this alert will do”Blackbox-exporter probes each of the 8 production domains for ssl_earliest_cert_expiry. When the soonest expiry is under 30 days, this alert fires. It supersedes the older CertificateExpiringSoon rule, which is host-scoped rather than domain-scoped.
Fallback procedure (until 30.2 lands)
Section titled “Fallback procedure (until 30.2 lands)”Use the CertificateExpiringSoon runbook — same procedure applies. The diagnosis commands are:
# Which cert expires when:for domain in hub.innoqualis.com docs.innoqualis.com campaigns.innoqualis.com workflows.innoqualis.com crm.innoqualis.com innoqualis.com control.innoqualis.com staging.innoqualis.com; do exp=$(echo | openssl s_client -connect "$domain:443" -servername "$domain" 2>/dev/null \ | openssl x509 -noout -enddate \ | cut -d= -f2) printf '%-40s %s\n' "$domain" "$exp"done
# Force renewal of a specific domain:docker exec innoqualis-certbot certbot renew --force-renewal --cert-name <domain>docker exec innoqualis-nginx nginx -s reloadRelated
Section titled “Related”- Phase 30.2 spec
CertificateExpiringSoon— existing host-scoped equivalentTLSCertExpiring7d— critical-severity sibling- Motivating incident: 2026-05-17 hub.innoqualis.com silent TLS expiry
Last reviewed
Section titled “Last reviewed”2026-05-29 — ops (stub)