How to check SSL certificate expiry on HAProxy
HAProxy binds a frontend to a PEM file (or a crt-list) that concatenates the certificate, its chain, and the private key. Check it from disk or from the live endpoint.
The universal way: openssl
This works regardless of where your certificate is served from. It opens a TLS connection and prints the validity dates of the certificate the server presents.
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \
| openssl x509 -noout -dates -issuer -subjectRead the bound PEM file
Find the bind ... crt path in your frontend (usually under /etc/haproxy/), then read the certificate’s dates. The PEM holds the leaf, intermediates, and key together; openssl x509 reads only the first certificate block (the leaf), so the chain and key are ignored.
grep crt /etc/haproxy/haproxy.cfg
openssl x509 -enddate -noout -in /etc/haproxy/certs/example.com.pemVerify the full chain is served
HAProxy serves exactly what is in the PEM. If the intermediate is missing from the file, clients see chain errors. Confirm the served chain:
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/nullDon’t want to run this by hand every month?
SSLNudge checks HAProxy endpoints daily and alerts you before expiry.
Related errors
Tip: paste a hostname into the free SSL checker to see its expiry right now.