Show HN: Free Certificate Monitoring via RSS
raphting.devCool! I have a strange affinity for RSS and created* a small plugin to subscribe to feeds within Event-Driven Ansible** and run actions on new feed posts. I didn't create it with specific utility in mind, certificate monitoring via RSS fits right in there - much to my surprise.
* - https://github.com/cloin/cloin.eda/blob/main/docs/rss.rst
Neat!
Recently my Synology NAS failed to automatically renew its Let's Encrypt certificate for my domain name and the certificate expired on my blog. I caught it the next day when my GoAccess metrics cratered (took some time to figure out since I normally use the QuickConnect domain name myself, whose certificate was fine), but it could've stayed broken for a very long time otherwise without me noticing.
You got yourself a subscriber.
Does Let's Encrypt not provide alerting when a cert hasn't been refreshed successfully?
I did get an email, but it was triaged under the update category inside Gmail and thus buried under a metric ton of other updates (the account is over 14 years old and it has accumulated a lot of crap over the years).
That's totally on me for missing it. On the other hand I only follow a couple of RSS feeds, so it's a notification channel with a far higher signal-to-noise ratio for me.
They do and it has saved me a couple of times.
Even though the renewal app runs as a cron job weekly, it occasionally breaks due to OS updates or some other issue so the email from Lets encrypt that warns me at least a week or before the expiration has been fantastic.
QuickConnect has had serious security issues in the past, and I recommend very strongly against enabling or using it.
I've disabled it just now. I was basically only using it as an alias anyways.
I did take some very basic precautions otherwise (its firewall is configured to drop all non-local packets but for TCP ports 80 and 443), but at some point I'll have to host my blog properly instead of piggy-backing on a dinky, always-on NAS...
Love the concept! It'd be cool if it was self-hostable, it'd be nice for monitoring certs in my homelab.
https://github.com/google/certificate-transparency-go
This is what I use for my monitoring solutions
You monitor for the failures ($currentDate > $cert.NotAfter), great.
What about soft failures, like connection problems? What if the cert is available but actually garbage? What if between 30 and 7 days the cert is changed?
And no, not checking FQDN against SAN is...
And finally, who monitors the monitoring?
No need to be snarky, clearly monitoring end user connections is a must. But the general idea of using RSS for monitoring is new to me, thanks for sharing!
Fantastic. I love when someone stitches existing tools to solve a problem in a novel and elegant way.
For transparency monitoring there's also https://crt.sh/?q=news.ycombinator.com which doesn't need a login, is free and has RSS support.
I used crtsh to discover certificates which were created in my previous company but I found about 20% of the time it returns some type of error (which is recoverable with a simple retry). Not sure if they fixed that, but I wouldn’t be surprised if a lot of companies use them and even profit from it somehow.
Awesome, thank you!
Uptime Kuma can also monitor certificate expiration; you can also enable it to show you how many days are left until it expires.
Hey. Thanks for making this. It really solves this silly use-case I have for certs that I can never get automated management going.
I have to submit a change request to get this added to our monitoring platform, and this is just so much simpler.
Thank you!
Interesting. Choice of rss is nice because there are already a good number of "convert/insert rss into x" tools that can be used to generate other modes of monitoring/alerts.
Love it! A parameter to pick which notifications would be appreciated, e.g. I might only want the 1 day in advance.
And perhaps also specifying a port, for services not on 443?
I use Nagios to warn on cert expirations. Things should auto renew yes, but this catches the times that they don't.
Super neat tool, but given that I use Caddy, that kinda prevents this issue from happening for me. While a monitoring tool is always a good idea, maybe the best long-term solution would be to encourage certificate auto-renewal tools. OTOH, I have only worked with this on a personal level, so maybe there's problems with auto-renewal that I haven't learned about.
I auto renew all my certs via either AWS ACM or lego.
I also have monitoring that alerts me if a cert is nearing expiry.
I’ve been alerted several times and been able to correct bugs or hiccups that would have caused the live cert to expire.
Automation is not a replacement for monitoring: they are complementary.
> Automation is not a replacement for monitoring: they are complementary
absolutely. there are any number of reasons Caddy would be unable to renew the cert, just off the top of my head:
- LetsEncrypt has downtime or unavailability
- If you're doing dns-01 challenges for LE, whatever cred Caddy uses for that might expire / become invalidated.
- disk fills up (or gets unexpectedly remounted read-only) and Caddy is unable to write the renewed certs
Are there still instances where you would want an Extended Validation (EV) certificate? If so, that’s one case where certificate monitoring could be relevant.
Browsers today no longer provide visual indicators for EV certificates [1] so I don’t know if they’re still in common use.
[1]: https://en.wikipedia.org/wiki/Extended_Validation_Certificat... "Removal of special UI indicators"
> Are there still instances where you would want an Extended Validation (EV) certificate?
Not really.
> [...] I don’t know if they’re still in common use.
They are. The myth that they are somehow inherently more secure is still widespread.
> No guarantees are given, for nothing
This is a double negative. Depending on how you interpret the comma, it could mean "guarantees are given for everything." (Pointing this out in case you intend to protect yourself from liability with this statement.)