Monitoring the state of certificates

Server
1

Continuing the discussion from Conceptual Issues with operational handling of letsencrypt:

Since you have to renew your certificates at least every 90 days and there’s currently no support for renewal in the official client, many users have resolved this issue by creating some wrapper script and putting that into cron. This may lead to problems, as cron may not be executed or something else.

It always should be best, if you monitor the state of your certificates in a periodic way too see if there’s a problem. This can be very easy if you have just one server (just connecting to the page once a day or week). But if you have multiple sites, you may want to have something more sophisticated. Maybe some standalone software or a plugin for one of the commonly used monitoring softwares (nagios, zabbix etc.)

I propose here a list of such monitoring software. Post your software below so that I can update this list accordingly.

Standalone
Certinel: https://github.com/drtoful/certinel
checkssl: https://github.com/srvrco/checkssl
GlobalSign Inventory: https://www.globalsign.com/en/blog/new-certificate-inventory-tool/
Certificate Expiry Monitor: https://certificatemonitor.org/

Plugins
check_ssl_cert_plugin: Nagios

1 Like
2

I use the check_ssl_cert plugin for nagios. The check_http plugin can also check for certificate expiry if you use it with the -C switch.

LE will also send a reminder email to the address you registered with (though I can’t confirm that yet myself as my certs aren’t old enough)

3

There’s also a free Certificate Inventory Tool by GlobalSign they announced way back https://www.globalsign.com/en/blog/new-certificate-inventory-tool/

Works with every SSL provider and site and basically is a database for SSL certificates you own

Pasted image757×189 6.04 KB

Pasted image775×435 30.5 KB

however, they seem to have expired my user log into to my CIT area so not sure what’s up with that.

4

I’ve created two open source tools to both monitor your certificate expiry and an ssl labs alternative, an ssl server test. Certificate expiry monitor is here: https://certificatemonitor.org/ and the ssl server test here: https://ssldecoder.org/

I’ve created a topic on the certificate expiry monitor here as well: Certificate Expiry Monitor

1 Like
5

@raymii almost forgot about your tools :slight_smile:

6

If you have more certificates and want to keep an eye on expiry, we have launched a free:

https://keychest.net

  • It has a spot check if you just want to quickly test a new server config.
  • Dashboard where you can track all you certificates - this will have weekly email summaries in a couple of weeks time.
  • Automatic on-going enrolment of subdomains of “Active Domains” in user accounts.

https://vimeo.com/228584972

keychest_dashboard2.png2322×1414 271 KB

certificate_list.png1488×910 75.4 KB

keychest_dashboard_spotcheck.png1530×1154 61.5 KB

2 Likes
7

openssl commands are also an option

8

I use SSL Checker app and it has been quite handy for me to keep track of my expiring certificates. You may want to add it to your list to help other users. Thanks!

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.