The blackbox exporter from Prometheus publishes the "number of seconds until expiration" as part of the metrics of every HTTPS fetch. Set an alert with 30 days warning, and then don't ignore the alerts.

Problem solved.

PS: It would be nice if it could check whois for the expiration of your domain too, but I haven't seen that yet.