Certify The Web - Dashboard for Certbot, acme.sh etc

So it's taken a couple of years to get round to it after the initial idea, but as part of the revised https://certifytheweb.com dashboard feature we've begun experimental work to integrate reporting from multiple ACME clients into one dashboard, the first being Certbot:

Certbot Failure Report (Not final UI)2302×1248 198 KB

The main focus of the dashboard is to highlight renewal failures, while also accounting for successful renewals and general visibility of certificate inventory across an organizations servers. It's very likely that we'll add optional renewal failure notifications and typical key type/issuer stats, different views etc

Currently for Certbot this will work as a separate dashboard agent executable (optionally run via cron etc or as a systemd service) which, in the case of Certbot, read/monitors the renewals config, public certificate PEM file info and the Certbot logs to determine the current status of each renewal (including current renewal failure counts). If anyone knows of relevant failure capture methods outside of this please let me know - we could use hooks to catch failed validation but not earlier order problems etc.

As this technique requires parsing logs (which is a very error prone task and subject to variation between versions) I'm looking for test subjects who are willing to share the relevant info from their certbot installs with us (all current log files, an export of /live minus all private keys, and a copy of /renewals conf files). This will enable us to use real world config to refine the parsing/reporting the agent does.

You can message me via this forum if you'd like to participate. Data will be treated confidentially and deleted when no longer required for development/testing. We'd be looking for orgs that either have many certs on one instance or many instances (if you're just using Certbot for a handful of certs then please wait for the beta version).

In exchange you get dashboard access for at least a year when the feature becomes available for alpha/beta testing. The existing dashboard is a (low cost) Software-as-Service product, we may also add a self host tier if there is sufficient demand.

[Edit: This invite now extends to acme.sh users. The required files the agent parses for it's reporting are the .conf files for each renewal, your public .cer file for each renewal and your acme.sh.log file (logging must be enabled)]

Sooo, all my logs and certs and stuff would be periodically uploaded to your service?

Not quite, the logs are parsed for the most recent error (per renewal) and a summary report is sent to the service with high level info about the problem and a PEM of the public leaf cert (as you would find on crt.sh etc) so that we know the standard stuff like start/end dates, identifiers, issuer, key type etc. The actual raw logs. config etc don't get sent.

Ah OK. So some kind of application would need to run on the system using this service.

Yep, the dashboard agent is a tool that periodically compiles the report and sends it.

As mentioned in the edit above acme.sh users are now also invited to participate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.