LetsMonitor.org - Monitoring certificates

It runs weekly.

So even if it fails 10 times in 3 months (I’ve yet to see it fail once), it’ll still catch it on the 11th run.

I thoroughly tested the script before running it via cron - it’s simple, and Just Works™

I think this can be mitigated by:

  • Making sure a host is not in the database more than once

  • Checking that large numbers of hosts are not resolving to the same IP address. This is not necessarily an issue on port 443 (up to a point), but it would be a big red flag on a non-standard port.

I would still like a backup system in place.

That is now implemented.

Thanks. It is fixed and my apologize for not looking after the log myself.

No problem. Those kind of routing issues are why we chose to make this a globally distributed monitoring system.

Is the process of sending alerts centralized or each node sends alerts independently? Because with centralized alerting it would be easier to account for the case when the tested host is fine but there is a connectivity issues between the particular node and that host - just ask at least 2 more nodes to re-confirm.

The notification service is centralized. It uses AWS SES for email notifications and Twilio for SMS (although we are looking at cheaper alternatives).

You can now specify a port.

Thank you. Now I can monitor the certificate of my Synology NAS.

You can now specify whether the check will skip authorization. This can be used in a number of scenarios, like self signed certificates.

1 Like

I think you meant “peer verification” instead of “authorization”. :slight_smile:

Yes, authorization is too broad a term.

This has been added as the default, but there are a surprisingly large amount of monitors set up with the domain not matching the certificate.

I’m also monitoring an SSL certificate used by my mail server on port 993 :wink: super cool .
Big thanks for providing such services

You are welcome. I talked to a friend in IT in another company where they use a spreadsheet to keep track of their certificate expirations. So, now they use this.

Ah, Node has a hardcoded list of CA certs. Literally hardcoded. We are going to have to find a way to add to that list.

That seems to be the last update of NodeJS:

Thank you. We still need to figure out the best way to validate self-signed certs in Node.

It looks, from their use of the mk-ca-bundle.pl as though they’re importing the Mozilla NSS trust store.

A lot of people outsource their CA trust store to Mozilla NSS either themselves or via their OS (most Linux or BSD based systems for example) or their TLS libraries. I hope all those people are aware, and have an eye on Mozilla’s continued existence. They should probably also monitor the mozilla.dev.security.policy group in order to be aware of future changes to that store’s contents or meaning, and risks Mozilla mitigates that their own tools may not.