How to check SSL certificate expiry on Kubernetes

In Kubernetes, certificates usually live in TLS secrets, often managed by cert-manager. Renewal can fail if an ACME HTTP-01/DNS-01 challenge breaks, leaving a secret to quietly expire.

Read a TLS secret’s expiry

Decode the certificate from the secret and print its dates.

kubectl get secret example-tls -o jsonpath='{.data.tls\.crt}' \
  | base64 -d | openssl x509 -noout -dates -subject

Check cert-manager Certificate resources

cert-manager records the renewal time on the Certificate resource.

kubectl get certificate -A
kubectl get certificate example -o jsonpath='{.status.notAfter}{"\n"}'

Don’t want to run this by hand every month?

SSLNudge checks Kubernetes endpoints daily and alerts you before expiry.

Monitor it free

Related errors

CERT_HAS_EXPIRED
UNABLE_TO_VERIFY_LEAF_SIGNATURE

Tip: paste a hostname into the free SSL checker to see its expiry right now.