Expiring certificates can be frustrating, especially when the serve business critical applications and you "forgot" to renew them, however when they do expire people usually say, when publicly obvious that mistakes were made, well "mistakes" basically say "unspecified people, made undetermined mistakes for which your site failed for customers"
This is unacceptable and should not be a thing in 2023, or even should not be a thing since 2010 back when it could be automated so they do not expire, I understand that many companies have not caught up with the "auto renew" certificates which Lets Encrypt has been about since it was launched.
Anyway, the failure is down the lack or auditing and monitoring and accountability or all three, if you are unlucky, so this starts with the options you have with fancy icons for you to pick which one you require your reports or information to be presented for !!
So, you have your choices below in icon format, you have the CLI/Shell, Website or e-mails, you can click the icon to see an example 🔥
a6n.co.uk 9481
google.com 8944a6n.co.uk:9481
google.com:8944Option 1 : CLI Option (with e-mail at the end)
Using ssl-cert-check
ssl-cert-check is provided free of charge, and can be downloaded from the prefetch.net web servers:
$ wget https://raw.githubusercontent.com/Matty9191/ssl-cert-check/master/ssl-cert-check
ssl-cert-check comes with several options, which can be viewed with the the “-h” option:
$ ssl-cert-check -h
Usage: ssl-cert-check [ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ] [-i]
{[ -s common_name ] && [ -p port]} || {-f cert_file} || {-c certificate file}
-a : Send a warning message through email
-c cert file : Print the expiration date for a PEM formatted
certificate passed as an option
-e email address : Email address to send expiration notices
-f cert file : File with a list of FQDNs and ports
-h : Print this screen
-i : Print the issuer of the certificate
-p port : Port to connect to (interactive mode)
-s commmon name : Server to connect to (interactive mode)
-q : Don't print anything on the console
-x days : Certificate expiration interval (eg. if cert_date < days)Running ssl-cert-check Against a Certificate File
If you manage numerous certificates on a web server, you can use ssl-cert-check to print the expiration date for each certificae, use ssl-cert-check can be executed with the “-c” (certificate file to process) option and the certificate to process:
$ ssl-cert-check -c /etc/ca/cacert.pem
Host Status Expires Days Left
----------------------------------------------- ------------ ------------ ----------
FILE:/etc/ca/cacert.pem Valid Jan 2 2024 267Running ssl-cert-check Against A Network Accessible Server
If you do not have local access to the certificate files, you can use ssl-cert-check’s network connectivity option to extract the certificate expiration date from the production server, use the -s for the site and -p for the TCP port...
$ ssl-cert-check -s a6n.co.uk -p 443
Host Status Expires Days Left
----------------------------------------------- ------------ ------------ ----------
a6n.co.uk:443 Valid May 27 2023 47Running ssl-cert-check Against A List Of Servers
If you manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run ssl-cert-check against that file:
$ nano ssldomains
WARNING : Ensure you get your formatting correct, this examples requires <site><space><port> - if it is not in this format the code will not run.
a6n.co.uk 443
google.com 443
$ ssl-cert-check -f ssldomains
Host Status Expires Days Left
----------------------------------------------- ------------ ------------ ----------
a6n.co.uk:443 Valid May 27 2023 47
google.com:443 Valid Jun 12 2023 63
It is sometimes useful to view the organization that issued a certificate. When ssl-cert-check is executed with the “-i” option, the issuer is printed along with the certificate expiration date:
$ ssl-cert-check -i -f ssldomains
Host Issuer Status Expires Days Left
----------------------------------- ----------------- -------- ----------- ---------
a6n.co.uk:443 Google Trust Sev Valid May 27 2023 47
google.com:443 Google Trust Sev Valid Jun 12 2023 63ssl-cert-check can provide e-mail notifications when a certificate is getting close to expiring, the following example uses both options to send an e-mail notification if one of more of the hosts listed in the file ssldomains contains a certificate that will expire within the next 14-days:
$ ssl-cert-check -a -f ssldomains -q -x 14 -e ssl.man@bear.local
This will essentially give you an output like this:
Option 2 : Website Option
Kontrola
WARNING : Ensure you get your formatting correct, this examples requires <site> - if it is not in this format the code will not run.
a6n.co.uk
google.com./kontrola
┌──(mooney@ssl-monitor)-[~/kontrola] └─$ dir /home/mooney/ssl2 certs_check.html Dockerfile html2img.py LICENSE sitelist crontab.txt entry.sh jota-cert-checker.sh README.md ssmtp.conf
You need to edit this file so you can do this with this:
@nano sitelist
Then you need to put the websites you wish to check in this file in the format outlined below:
WARNING : Ensure you get your formatting correct, this examples requires <site>:<port> - if it is not in this format the code will not run.
a6n.co.uk:443
google.com:443Once you have your file, this script will default to 300 days as a warning, which for many people will be far to long, I would rather 30 days as a warning and 14 days as an alert, so to update these settings you will need to edit the jota-cert-checker.sh file, when you do you need to update these values from the default to for this example 30 and 14 respectively.....
current_date=$(date +%s) end_date="${end_date:-}" days_left="${days_left:-}" certificate_last_day="${certificate_last_day:-}" warning_days="${warning_days:-30}" alert_days="${alert_days:-14}"
This will give you the results in a terminal window like this:
However if you would like a website rather than a terminal window you can run this:
./jota-cert-checker.sh -f sitelist -o html
This will give you a website, not as pretty as Kontrola but its all on one page which some people may prefer, however you will need to customise the text to make to applicable for your company, so to complete this open up the jota-cert-checker.sh one again and locate this section in the code, under the HTML settings, locate this line:
if [ "$days_left" -gt "$warning_days" ];then
Then update the label in the code as per your desire......echo "<td style=\"padding: 8px;background-color: #33FF4F;\">Healthy</td>" >> $html_file
echo "<td style=\"padding: 8px;background-color: #FFE032;\">Expiring</td>" >> $html_file
echo "<td style=\"padding: 8px;background-color: #FF8F32;\">Expired</td>" >> $html_fileThis was covered in this blog post here
This looks like this:
All you need to do is update the message.html to reflect relevant content, and then update the attachment to the HTML from either Kontrola or Jota, simple then you have an alert before the certificates expire, please note that this does not bind the new certificates to the service or application, it to give you a bit of accountability before your public/internal certificates expire.
crt.sh also tells you all the DNS names linked to that domain, furthermore it will tell you when I have used Cloudflare and Wordpress hosted websites, not really private as its all public anyway.