← Back to context

Comment by Zealotux

4 years ago

Amusing, I embarrassed myself today as I forgot to renew a client's certificate. This kind of service is unfortunately too expensive for my needs (2 small websites to monitor), wouldn't that be possible to have a small software run on my laptop that checks a list of websites every day for upcoming expiration?

10 comments

Zealotux

Reply
geofft  4 years ago

You can do this with the following crappy cronjob (monitoring the machine where your cronjobs run is left as an exercise to the reader / is why you'd want to pay someone to deal with it):

    0 0 * * * openssl s_client -showcerts -connect news.ycombinator.com:443 </dev/null 2>/dev/null | openssl x509 -checkend 864000 >/dev/null || echo "Certificate is expiring"

Assuming your system has local mail (via the sendmail command) working, this will send you an email if your certificate expires in the next 864000 seconds = 10 days. If you have an MTA installed but don't use local mail on the machine, you can use the MAILTO feature to send it to your normal email address.

  • atok1  4 years ago

    That's pretty useful, thanks.

    I can setup a monitor (FOSS) for the computer that is doing the site monitoring, since I only use open source software that I can inspect.

dharmab  4 years ago

In addition to monitoring the cert, consider using Let's Encrypt/ACME to auto-rotate certificates.

  • remram  4 years ago

    Unfortunately this also fails in interesting ways...

    Just recently, I let one of my certificates expire. The cronjob correctly renewed it, but nginx was not reloaded and kept using the previous certificate. This had never happened before, because I would usually make changes regularly and trigger a reload, which would load the new certificate. Therefore this website had run without issues for 2 years with an incomplete renewal configuration until it finally broke...

    • dharmab  4 years ago

      Yes, we had lots of issues with nginx serving stale configuration, sometimes even after a reload. I learned to distrust nginx's reload and use two or three nginx servers so I could restart one after updating configs.

cyberge99  4 years ago

dnmin is a small shop that offers it free (I think). I donated the guy $10 for the service a couple of years ago. I got an alert recently, so it works.

amozoss  4 years ago

Google cloud does checks (of endpoints or tcp connections). I've never been charged as far as I can tell. It sends me a text when my site is down, but it has tons of other notification options