Outage https://meta.miraheze.org/wiki/Special:IncidentReports/31 was caused by an old, expired root certificate. If we had an Icinga check covering all TLS certificates present on a system, Icinga could have alerted us and SRE would have been able to fix the root certificate before it expired.
Adding another actionable (from the incident report) here: "Write (or install) a command line utility looping over all certificates in a file, openssl x509'ing those certificates and returing the output."