How to Monitor SSL Certificate Expiration with OpenClaw in Paradime
Feb 26, 2026
How to Build Automated SSL Certificate Monitoring with Paradime, OpenClaw, and Slack
An expired SSL certificate is a silent outage waiting to happen. One minute everything looks fine; the next, browsers are throwing NET::ERR_CERT_DATE_INVALID errors and customers are bouncing. The worst part? It's entirely preventable.
This guide walks you through building a fully automated SSL certificate monitoring pipeline using Paradime, OpenClaw, and Slack. You'll write a Python script that checks certificate expiration across your domains, alerts your team at 30/14/7-day thresholds, and runs on a daily cron schedule — all with an incident-friendly, "time to first clue" mindset.
By the end, you'll have a reproducible, minimal-fix setup that turns certificate expiration from a scramble into a non-event.
What Is Paradime?
Paradime is an all-in-one AI platform purpose-built for analytics and data engineering teams. It provides a dbt™-native workspace that replaces dbt Cloud™ with a faster, AI-assisted development experience. Teams use Paradime to handle the full lifecycle of their data workflows — from development and CI/CD to scheduling, monitoring, and collaboration.
For this guide, the key Paradime feature is Bolt — the platform's scheduler for dbt™ and Python pipelines. Bolt supports cron-based scheduling, environment variable management, Slack notifications, and Python script execution in production. This makes it the ideal orchestration layer for our SSL monitoring script.
Key Paradime capabilities we'll leverage:
Bolt Schedules: Cron-based scheduling with timezone support
Environment Variables: Secure storage for API keys and webhook URLs
Python Script Execution: Run custom Python scripts alongside dbt™ commands
Slack Notifications: Built-in alerting on schedule pass/fail
What Is OpenClaw?
OpenClaw is an open-source autonomous AI agent that runs on your own hardware and connects to messaging apps you already use — Slack, Discord, Telegram, WhatsApp, and more. It's not just a chatbot; it's a local-first gateway that can execute commands, manage files, and run scheduled tasks.
OpenClaw's SSL Certificate Monitor skill (ssl-certificate-monitor) is a lightweight CLI utility that checks SSL/TLS certificate health across single domains or domain lists. It uses Python's built-in SSL libraries with zero external API dependencies, supports batch monitoring, configurable alert thresholds, and JSON output for pipeline integration.
OpenClaw also has a built-in cron scheduler — the Gateway's scheduler that persists jobs, wakes the agent at the right time, and delivers output to chat channels. We'll use this alongside Paradime Bolt to create a layered monitoring approach.
Figure 1: High-level architecture — Paradime Bolt and OpenClaw each run daily SSL checks and alert to Slack.
Setup: openclaw-sdk + SSL Library + Slack SDK
Prerequisites
Before you begin, ensure you have:
Python 3.10+ installed
A Paradime account with Bolt access (sign up)
An OpenClaw instance running (install guide)
A Slack workspace with permissions to create incoming webhooks
Step 1: Install Dependencies
Create a pyproject.toml (or requirements.txt) with the following dependencies:
Install via Poetry (recommended for Paradime Bolt):
Or via pip:
Step 2: Install the OpenClaw SSL Certificate Monitor Skill
If you're running OpenClaw locally, install the SSL monitor skill:
Verify the skill works with a quick check:
Step 3: Configure Slack Incoming Webhook
Go to Slack API Apps → Create New App
Select Incoming Webhooks → Toggle Activate
Click Add New Webhook to Workspace → Select your alert channel
Copy the webhook URL — you'll store this as an environment variable
Figure 2: Environment variable setup flow for connecting Slack, OpenClaw, and Paradime.
Script: Check SSL Expiration and Alert at 30/14/7-Day Thresholds
Here's the complete Python script that forms the core of our monitoring pipeline. It's designed with an incident-friendly mindset: structured output, clear severity levels, and fast "time to first clue."
ssl_monitor.py
How the Decision Tree Works
The script follows a structured decision tree to minimize noise and maximize signal:
Figure 3: Decision tree for SSL certificate severity classification and alerting.
Environment Variables: OPENCLAW_API_KEY, SLACK_WEBHOOK_URL, DOMAINS_LIST
All sensitive configuration lives in environment variables — never hard-coded. Here's what you need:
Variable | Description | Example |
|---|---|---|
| Your OpenClaw API key for SDK access |
|
| Slack incoming webhook URL for alerts |
|
| Comma-separated list of domains to monitor |
|
Configuring in Paradime
Navigate to Settings → Workspaces → Environment Variables
In the Bolt Schedules section, click Add New
Add each variable:
Click the Save icon
Tip: You can also bulk upload variables via CSV. Create a file with
Key,Valueheaders and drag-and-drop it in the Bolt Schedules environment variables section.
Accessing Variables in Your Script
Paradime injects these variables into the Bolt runtime automatically — no .env files or dotenv packages needed in production.
Bolt Schedule: Cron Daily
Now wire the script into Paradime Bolt to run every day. You have two options: UI-based or YAML-as-code.
Option A: UI-Based Schedule
Navigate to Bolt from the Paradime home screen
Click + New Schedule → + Create New Schedule
Configure:
Field | Value |
|---|---|
Type | Standard |
Name |
|
Commands |
|
Git Branch |
|
Owner Email |
|
Trigger Type | Scheduled Run |
Cron Schedule |
|
Slack Notify On |
|
Slack Channel |
|
Option B: YAML-as-Code (paradime_schedules.yml)
Place this file in your dbt™ project root alongside dbt_project.yml:
Bonus: OpenClaw Cron Job (Layered Monitoring)
For defense-in-depth, also schedule the check via OpenClaw's built-in cron:
This gives you two independent monitoring paths: Paradime Bolt at 8:00 AM UTC and OpenClaw at 9:00 AM UTC.
Figure 4: Staggered dual-monitoring timeline ensures redundant coverage.
Monitoring and Debugging
Monitoring the Monitor
Your SSL monitoring pipeline itself needs observability. Here's a layered approach:
1. Paradime Bolt Dashboard Check the Bolt UI for schedule run history. Each execution shows:
✅ Pass / ❌ Fail status
Execution duration (watch for SLA breaches)
Full stdout/stderr logs
2. Slack Alert Verification If you're not seeing alerts, that's either good news or a silent failure. Add a weekly heartbeat:
3. OpenClaw Gateway Logs Check OpenClaw's cron job status:
Debugging Failed Runs
When a Bolt schedule fails, Paradime provides the full execution log. Here's the debugging decision tree:
Figure 5: Debugging decision tree for failed Bolt schedule runs.
Troubleshooting Common Issues
1. ssl.SSLCertVerificationError: certificate verify failed
Cause: The target domain has an invalid, self-signed, or misconfigured certificate chain.
Fix: This is actually a valid finding — your monitor detected a problem. If you need to check self-signed certificates (e.g., internal staging), modify the SSL context:
⚠️ Warning: Disabling verification defeats the purpose for public domains. Only use this for internal certificates with known trust stores.
2. socket.timeout: timed out
Cause: The domain is unreachable from the Paradime Bolt execution environment, or a firewall is blocking port 443.
Fix:
Verify the domain resolves: add DNS check before SSL handshake
Increase the timeout from 10s to 30s for slow endpoints
Confirm Paradime's outbound network allows connections to port 443
3. KeyError: 'SLACK_WEBHOOK_URL'
Cause: Environment variable not configured in Paradime Bolt settings.
Fix:
Go to Settings → Workspaces → Environment Variables
Confirm the variable exists in the Bolt Schedules section (not the Code IDE section)
Check for typos in the key name
Remember: Admin access is required to add or edit variables
4. Slack Returns 403 Forbidden or 404 Not Found
Cause: The webhook URL is expired, revoked, or incorrectly copied.
Fix:
Go to your Slack App settings
Navigate to Incoming Webhooks
Regenerate the webhook URL
Update the
SLACK_WEBHOOK_URLenvironment variable in Paradime
5. OpenClaw Cron Job Not Firing
Cause: Gateway restart cleared the job, or timezone mismatch.
Fix:
6. ModuleNotFoundError: No module named 'slack_sdk'
Cause: Dependencies not installed before script execution.
Fix: Ensure poetry install is the first command in your Bolt schedule, before python ssl_monitor.py. Bolt runs commands sequentially in a clean environment.
Quick Reference: Common Fixes
Symptom | Time to First Clue | Fix |
|---|---|---|
No Slack alerts at all | Check Bolt logs → 30s | Verify |
Alert for wrong domains | Check | Update comma-separated list |
Script runs but no output | Check stdout in Bolt → 30s | Ensure |
Timeout on one domain | Check specific domain → 60s | Increase |
All domains show ERROR | Check network → 60s | Verify outbound 443 access |
Wrapping Up
You've built a production-grade SSL certificate monitoring system that:
Checks every domain daily via Paradime Bolt's cron scheduler
Alerts at 30/14/7-day thresholds with severity-coded Slack messages
Uses OpenClaw's SSL Monitor skill for standardized certificate inspection
Provides defense-in-depth with staggered Paradime + OpenClaw schedules
Is fully reproducible — everything is defined in code (
paradime_schedules.yml,ssl_monitor.py, environment variables)
Figure 6: Complete system overview — script, scheduling, and debugging.
The incident-friendly design means when something does go wrong, your team's "time to first clue" is measured in seconds, not hours. The structured Slack alerts tell you exactly which domain, how many days remain, and what severity level — no log diving required.
Next Steps
Add more domains by updating the
DOMAINS_LISTenvironment variableTighten thresholds for critical production domains (e.g., 60/30/14 days)
Integrate with PagerDuty for CRITICAL/EXPIRED severity auto-escalation
Track certificate metadata over time by piping JSON output to your data warehouse via dbt™ models in Paradime
Stop worrying about certificate expiry. Let the automation handle it.
