Runbook — TLSCertExpiring7d
TLSCertExpiring7d
Severity
Section titled “Severity”critical
Audience
Section titled “Audience”ops
Phase 30.2 / KAN-292
What this alert will do
Section titled “What this alert will do”The critical-severity sibling of TLSCertExpiring30d. When a cert has fewer than 7 days remaining, escalation is immediate — there is no slack left.
Fallback procedure (until 30.2 lands)
Section titled “Fallback procedure (until 30.2 lands)”Treat as urgent. Force-renew the affected cert immediately.
# Identify the affected domain from the alert's instance label, then:docker exec innoqualis-certbot certbot renew --force-renewal --cert-name <domain> -vdocker exec innoqualis-nginx nginx -s reload
# Verify:echo | openssl s_client -connect <domain>:443 -servername <domain> 2>/dev/null \ | openssl x509 -noout -datesIf renewal fails, this is the 2026-05-17 incident replaying — check the ACME challenge path:
curl -fsS -o /dev/null -w '%{http_code}\n' http://<domain>/.well-known/acme-challenge/test# Expected: 404. If 301 (redirect to HTTPS) — the nginx ACME block was lost.If 301 is observed, restore the location /.well-known/acme-challenge/ block in the port-80 server stanza (see the post-mortem for the 2026-05-17 incident in tasks/lessons.md).
Escalation
Section titled “Escalation”If the cert cannot be renewed within 24 hours, file an emergency change with the on-call lead. Manual cert procurement (Let’s Encrypt staging → production) is the last resort.
Related
Section titled “Related”- Phase 30.2 spec
TLSCertExpiring30d— warning-severity siblingCertbotRenewalStalled— upstream alert that catches this earlier
Last reviewed
Section titled “Last reviewed”2026-05-29 — ops (stub)