πŸ›‘ Certificate Expired : SSL Proactive Monitoring

Expiring certificates can be frustrating, especially when the serve business critical applications and you "forgot" to renew them, however when they do expire people usually say, when publicly obvious that mistakes were made, well "mistakes" basically say "unspecified people, made undetermined mistakes for which your site failed for customers" 

This is unacceptable and should not be a thing in 2023, or even should not be a thing since 2010 back when it could be automated so they do not expire, I understand that many companies have not caught up with the "auto renew" certificates which Lets Encrypt has been about since it was launched.

Anyway, the failure is down the lack or auditing and monitoring and accountability or all three, if you are unlucky, so this starts with the options you have with fancy icons for you to pick which one you require your reports or information to be presented for !!

So, you have your choices below in icon format, you have the CLI/Shell, Website or e-mails, you can click the icon to see an example πŸ”₯



SSL and TCP:443

If you are using a website or service with a certificate the default port is using TCP and port 443, however many people customise this port which can also be accommodated with these scripts, excluding Kontrola, for ssl-checker and Jota when you enter the sitelists as per this guide you will to change, so if you are using ssl-checker:

a6n.co.uk 9481
google.com 8944
If you are using Jota then the same action looks like this:

a6n.co.uk:9481
google.com:8944

Option 1 : CLI Option (with e-mail at the end)

Using ssl-cert-check

ssl-cert-check is provided free of charge, and can be downloaded from the prefetch.net web servers:

$ wget https://raw.githubusercontent.com/Matty9191/ssl-cert-check/master/ssl-cert-check

ssl-cert-check comes with several options, which can be viewed with the the “-h” option:

$ ssl-cert-check -h

Usage: ssl-cert-check [ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ] [-i]
       {[ -s common_name ] && [ -p port]} || {-f cert_file} || {-c certificate file}

  -a               : Send a warning message through email
  -c cert file     : Print the expiration date for a PEM formatted
                     certificate passed as an option
  -e email address : Email address to send expiration notices
  -f cert file     : File with a list of FQDNs and ports
  -h               : Print this screen
  -i               : Print the issuer of the certificate
  -p port          : Port to connect to (interactive mode)
  -s commmon name  : Server to connect to (interactive mode)
  -q               : Don't print anything on the console
  -x days          : Certificate expiration interval (eg. if cert_date < days)

Running ssl-cert-check Against a Certificate File

If you manage numerous certificates on a web server, you can use ssl-cert-check to print the expiration date for each certificae, use ssl-cert-check can be executed with the “-c” (certificate file to process) option and the certificate to process:

$ ssl-cert-check -c /etc/ca/cacert.pem

Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
FILE:/etc/ca/cacert.pem                         Valid        Jan 2 2024   267

Running ssl-cert-check Against A Network Accessible Server

If you do not have local access to the certificate files, you can use ssl-cert-check’s network connectivity option to extract the certificate expiration date from the production server, use the -s for the site and -p for the TCP port...

$ ssl-cert-check -s a6n.co.uk -p 443

Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
a6n.co.uk:443                                   Valid        May 27 2023  47

Running ssl-cert-check Against A List Of Servers

If you manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run ssl-cert-check against that file:

$ nano ssldomains

WARNING : Ensure you get your formatting correct, this examples requires <site><space><port> - if it is not in this format the code will not run.

a6n.co.uk 443
google.com 443

$ ssl-cert-check -f ssldomains

Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
a6n.co.uk:443                                   Valid        May 27 2023  47
google.com:443                                  Valid        Jun 12 2023  63

It is sometimes useful to view the organization that issued a certificate. When ssl-cert-check is executed with the “-i” option, the issuer is printed along with the certificate expiration date:

$ ssl-cert-check -i -f ssldomains

Host                                Issuer            Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
a6n.co.uk:443                       Google Trust Sev  Valid    May 27 2023 47
google.com:443                      Google Trust Sev  Valid    Jun 12 2023 63

ssl-cert-check can provide e-mail notifications when a certificate is getting close to expiring, the following example uses both options to send an e-mail notification if one of more of the hosts listed in the file ssldomains contains a certificate that will expire within the next 14-days:

$ ssl-cert-check -a -f ssldomains -q -x 14 -e ssl.man@bear.local

This will essentially give you an output like this:


Option 2 : Website Option

Kontrola

I have already covered the Kontrola script which you can review here but the fashion is the same, so I can cover it here as well

git clone https://github.com/philcryer/kontrola.git
cd kontrola

Once install, edit the domains.txt file, adding domains you want be checked in the format outlined below:

WARNING : Ensure you get your formatting correct, this examples requires <site> -  if it is not in this format the code will not run.

a6n.co.uk
google.com
The run the script no variables and it will do its magic......

./kontrola

Reports are outputted to the subdirectory called HTML, which is very convenient, this looks like this:



Jota Cert Checker

$ git clone 
https://github.com/juliojsb/jota-cert-checker

This will download the files required to the current directory 

┌──(mooney@ssl-monitor)-[~/kontrola]
└─$ dir /home/mooney/ssl2
certs_check.html  Dockerfile  html2img.py           LICENSE    sitelist
crontab.txt       entry.sh    jota-cert-checker.sh  README.md  ssmtp.conf

Right here you will notice that there is "sitelist" file which need to populated with the sites you wish to check when you run this script.....

You need to edit this file so you can do this with this:

@nano sitelist

Then you need to put the websites you wish to check in this file in the format outlined below:

WARNING : Ensure you get your formatting correct, this examples requires <site>:<port> - if it is not in this format the code will not run.

a6n.co.uk:443
google.com:443

Once you have your file, this script will default to 300 days as a warning, which for many people will be far to long, I would rather 30 days as a warning and 14 days as an alert, so to update these settings you will need to edit the jota-cert-checker.sh file, when you do you need to update these values from the default to for this example 30 and 14 respectively.....

current_date=$(date +%s)
end_date="${end_date:-}"
days_left="${days_left:-}"
certificate_last_day="${certificate_last_day:-}"
warning_days="${warning_days:-30}"
alert_days="${alert_days:-14}"

Once you have this file formatted you can run the command using this:

./jota-cert-checker.sh -f sitelist -o terminal

This will give you the results in a terminal window like this:


However if you would like a website rather than a terminal window you can run this:

./jota-cert-checker.sh -f sitelist -o html


This will give you a website, not as pretty as Kontrola but its all on one page which some people may prefer, however you will need to customise the text to make to applicable for your company, so to complete this open up the jota-cert-checker.sh one again and locate this section in the code, under the HTML settings, locate this line:

if [ "$days_left" -gt "$warning_days" ];then
Then update the label in the code as per your desire......

echo "<td style=\"padding: 8px;background-color: #33FF4F;\">Healthy</td>" >> $html_file
echo "<td style=\"padding: 8px;background-color: #FFE032;\">Expiring</td>" >> $html_file
echo "<td style=\"padding: 8px;background-color: #FF8F32;\">Expired</td>" >> $html_file

Option 3 : email to your inbox

This is the one I like least as there is a large margin for error with it being ignored, deleted or marked as spam, but some people love a good e-mail so this uses the pages that have already been created in Kontrola or Jota.

This was covered in this blog post here

This looks like this:


All you need to do is update the message.html to reflect relevant content, and then update the attachment to the HTML from either Kontrola or Jota, simple then you have an alert before the certificates expire, please note that this does not bind the new certificates to the service or application, it to give you a bit of accountability before your public/internal certificates expire.

Finally if you wish to check the status of previous certificates then you can do with a very handy website called crt.sh this website, for example if you use my domain a6n.co.uk it will tell you the history of all my certificates, as with any site - that link is here

crt.sh also tells you all the DNS names linked to that domain, furthermore it will tell you when I have used Cloudflare and Wordpress hosted websites, not really private as its all public anyway.
Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„