Maintenant

Two main themes in this release:

• OCSP stapling (Pro) — certificate monitors now capture the OCSP staple presented during the TLS handshake and raise a critical alert the moment a certificate is reported revoked.
• Status page on a dedicated subdomain — host the public status page at status.example.com/ with a clean URL, full personalization, and a single new env var.

OCSP stapling :material-crown: (Pro)

Revoked certificates can no longer hide behind a still-valid expiration date. Every certificate check — whether it comes from a standalone monitor or is auto-detected through an HTTPS endpoint — now captures the OCSP staple presented during the TLS handshake.

The captured fields are persisted on each check and exposed via the API:

| Field | Meaning |
|-------|---------|
| ocsp_status | good, revoked, unknown or error |
| ocsp_produced_at | Timestamp when the OCSP response was issued |
| ocsp_next_update | Timestamp until which the staple is considered fresh |
| ocsp_revoked_at | Set when the responder reports a revocation |
| ocsp_parse_error | Set when the staple is present but unparseable |

Behavior

• revoked emits a new ocsp_revoked critical alert through the existing pipeline — triggers, escalations, silences, and acknowledgments all apply without any extra configuration.
• Stale staples (NextUpdate in the past) downgrade to unknown and never alert, avoiding noise during responder outages.
• No staple presented is treated as unknown — also silent. Pinging the OCSP responder out-of-band is out of scope.
• ocsp_revoked is resolved automatically the next time a check returns good (rotation deployed).

UI

The SSL Certificates surface gains:

• A dedicated OCSP block in the slideover detail (status badge, produced-at / next-update, parse error message).
• An OCSP badge on certificate cards — shown only when the status is revoked or error, so green and unknown stay quiet.
• A new History tab on the slideover that renders the per-check history (status dot, days remaining, OCSP badge) from GET /api/v1/certificates/{id}/checks.
• Humanized alert labels in Active alerts and the Alerts list: ocsp_revoked shows as "Certificate revoked (OCSP)".

Edition gating

OCSP stapling is a Pro feature. Capture runs in Community to keep the code path simple, but persistence, API exposure, and alert emission are skipped unless the Pro edition is active. A new ocsp_stapling feature flag is exposed on GET /api/v1/edition; Community users see a Pro teaser in the OCSP block instead of an empty section.

Migration

Migration 20_cert_ocsp adds five nullable columns to cert_check_results. Existing rows are unaffected. The down.sql is a no-op (SQLite < 3.35 does not support DROP COLUMN); rolling back means staying on v1.2.12.

Status page on its own subdomain

The public status page can now be hosted at its own URL (e.g. https://status.example.com/) with no visible /status in the address bar. It is served by the Vue SPA, so all personalization features introduced in v1.2.11 (branding, palette, announcement banner, footer, FAQ, localization) render on both same-domain and subdomain deployments.

MAINTENANT_STATUS_URL

A new optional environment variable that declares the canonical, externally-reachable URL of your status page:

MAINTENANT_STATUS_URL=https://status.example.com

It is exposed to the frontend through GET /api/v1/edition as status_url and surfaced via the useEdition().statusURL composable. The admin UI uses it for the View public status page link in /status-admin, with a fallback to /status when the variable is not set — so existing single-domain deployments continue to work unchanged.

Subdomain routing

When the status page is served from its own subdomain, the Vue router detects the dedicated-status context and mounts PublicStatusPage at /, so visitors see a clean address bar with no redirect flash.

For deployments behind Traefik, the recommended middleware is replacepathregex (only rewriting the root / to /status/) rather than addprefix — this keeps SPA asset paths (/assets/...) and SSE endpoints (/status/events) intact:

http.routers.maintenant-status.rule: "Host(`status.example.com`)"
http.routers.maintenant-status.middlewares: "status-rewrite@docker"
http.middlewares.status-rewrite.replacepathregex.regex: "^/$"
http.middlewares.status-rewrite.replacepathregex.replacement: "/status/"

Fixes & internals

• Certificate checks listing — GET /api/v1/certificates/{id}/checks now exposes days_remaining in the JSON payload (previously omitted because it was a method, not a field).
• alert_advanced_filters feature flag — surfaced on the edition endpoint so the frontend can gate Pro-only trigger filters (scopes, tags) without a separate edition call.
• Status page assets — fixed double-prefix 404s on CSS and SSE paths when Traefik addprefix=/status was used; the favicon request is suppressed to avoid spurious 404s.
• TriggerManager refactor — per-trigger rendering, channel-name lookup, and filter summarization extracted into a dedicated TriggerList.vue component. Pure refactor, no behavior change.

Upgrade notes

1. OCSP stapling: nothing to configure — the feature activates automatically on Pro the moment v1.2.13 starts. Migration 20_cert_ocsp runs at startup. The first check after upgrade will populate OCSP fields where a staple is present.
2. Status page (single-domain setups): nothing to do — MAINTENANT_STATUS_URL is optional and the admin link falls back to /status.
3. Status page (subdomain setups): set MAINTENANT_STATUS_URL=https://status.example.com and route the subdomain to the same backend. If you use Traefik, prefer replacepathregex (^/$ → /status/) over addprefix=/status so SPA assets and SSE paths are not double-prefixed.

Documentation

• Updated: Certificates, Configuration, Status Page.