Catch expiring SSL certificates before they cause outages

Every weekday morning, scan Cloudflare for expiring or stuck SSL certificates and file a tracked Linear ticket so nothing slips through to a real outage.

Agentic Task
CloudflareLinearSlackEngineeringOperationsNotifications & AlertsResearch & Monitoring
PromptCreate workflow

Every weekday at 9am, sweep my Cloudflare account for SSL certificate problems, file a Linear ticket for each finding, and post a one-line digest to a Slack channel.

Trigger: cron, weekdays at 9am in my local timezone.

Step 1. Pull data from Cloudflare. Use List Zones to enumerate every zone the API token can see. For each zone, call List Certificate Packs to get the SSL certificate packs (Universal and Advanced) and List Custom Hostnames to get any Cloudflare for SaaS hostnames. If you need full validation records or contained certificates for a specific pack to make a judgement, call Get Certificate Pack for that one pack.

Step 2. Reason over the combined data and identify three kinds of findings: (a) certificate packs whose expiry is within the next 30 days and whose status is not already in a renewing or in-progress state, (b) custom hostnames that have been sitting in pending_validation for more than 24 hours, and (c) any certificate pack or custom hostname in an error, failed, or deleted state. Skip anything that is already actively renewing or in a healthy active state.

Step 3. For each finding, first call Linear Search Issues to look for an existing open ticket for the same hostname (search the hostname text and filter to non-completed states). If a matching open ticket exists, skip the finding so we never duplicate. Otherwise call Linear Create Issue in a team named Infrastructure (make this easy to change). Use a clear title like "SSL cert for app.acme.com expires in 12 days, no renewal in flight". The body should include the hostname, the certificate pack ID or custom hostname ID, the exact expiry timestamp, the validation method (TXT or HTTP), the current status, the zone name, and a one-line recommended remediation step such as restarting pack validation, republishing the DCV TXT record, or ordering a new Advanced cert. Set priority to Urgent (1) when the cert expires in fewer than 7 days or is in a hard error state, and High (2) for everything in the 7 to 30 day window or stuck-validation case.

Step 4. After processing all zones, if at least one ticket was created or already exists open from a previous run for a still-broken finding, send one Slack message via Send a Message to the #infra channel. The message should be a single line summarizing the count by severity and linking the created Linear issues, for example: "3 SSL findings today: 1 urgent (expires in 4 days), 2 high. Tickets: <links>." If there are zero findings, do nothing. Do not post an "all clear" message and do not touch Linear.

Things to keep configurable so I can tweak them later: the Linear team name, the Slack channel, the 30 day and 7 day thresholds, and the 24 hour stuck-validation threshold. The Cloudflare API token should already be scoped to all the zones I care about; do not try to filter by zone name.

Additional information

What does this prompt do?
  • Sweeps every Cloudflare zone you have access to and inspects each SSL certificate pack and custom hostname for expiry, errors, and stuck validation.
  • Flags certificates expiring in the next 30 days with no renewal in flight, custom hostnames stuck in pending validation for more than 24 hours, and any pack in an error state.
  • Files a Linear ticket for each finding with the hostname, expiry, current status, and a recommended fix, set to Urgent or High based on time to expiry.
  • Posts a one-line digest to your infra Slack channel linking the new tickets, and stays silent on days when nothing is wrong.
What do I need to use this?
  • A Cloudflare account with an API token that can read zones, certificate packs, and custom hostnames.
  • A Linear workspace and a team where the tickets should be filed.
  • A Slack workspace and a channel for the daily digest, such as #infra.
How can I customize it?
  • Change the run time or skip weekends to match your on-call schedule.
  • Pick a different Linear team or Slack channel.
  • Tweak the thresholds, such as warning 14 days out instead of 30, or only escalating to Urgent inside 3 days.
  • Add a default assignee or label so new tickets land with the right person.

Frequently asked questions

How does it avoid creating duplicate tickets every day?
Before filing anything, it searches your Linear workspace for an existing open ticket for the same hostname. If one is already open, it leaves it alone.
Does it work with Cloudflare for SaaS custom hostnames?
Yes. It pulls both the regular certificate packs on each zone and the custom hostnames you have set up for SaaS, so stuck pending validation states show up too.
What happens on days with no SSL problems?
Nothing. It stays quiet. No Slack message, no Linear ticket, no noise.
Can I use a different ticket tracker instead of Linear?
Yes. You can ask Geni to file to Jira, Asana, GitHub Issues, or another tracker. Linear is just the default in this template.
How are priorities decided?
It uses time to expiry. Certificates with under 7 days left, or already in an error state, are filed as Urgent. Anything in the 7 to 30 day window is filed as High.

Stop finding out about expired SSL certs from your customers.

Connect Cloudflare, Linear, and Slack once. Geni sweeps your certificates every weekday at 9am and files a tracked ticket for anything at risk.

Explore more promptsCreate workflow