Skip to main content
This page describes what to do in case of an Icinga alert. For more information you could search the govuk-puppet repo for the source of the alert
Last updated: 26 Apr 2023

Check the TLS certificate is valid and not due to expire

These checks look at the validity of the TLS certificates for:

  • at the edge (Fastly)
  • at the origin (our servers)
  • at the edge (Fastly)
  • at the edge (Fastly)
  • *, * and * at the origin (our servers), depending on the environment Icinga is running in

You’ll start seeing an alert 30 days before the relevant certificate is due to expire.

See renew a TLS certificate for GOV.UK for details of how to renew the relevant certificate. This is normally done by GOV.UK Platform Engineering.

Production certificate

The TLS certificate for is managed by Fastly. They will open a support ticket when the certificate is due for renewal. This ticket will be picked up by GOV.UK Platform Engineering, who will co-ordinate with Fastly to renew the certificate.

Production, staging and integration wildcard certificates

The wildcard TLS certificates for production, staging and integration are managed by GOV.UK Platform Engineering. Once the alert appears, they will work to renew the relevant certificate and make it live. For staging and integration, the certificates are also provided to Fastly to enable TLS for our staging and integration CDN environments.