top | item 30992497

(no title)

dxld | 3 years ago

I just use a cron job that calls openssl s_client. The trick is to use faketime to check if the certificate would be valid in the future, like so:

  check_tls () {
          # Check two weeks in the future to give us time to fix certs
          faketime +14days \
                  openssl s_client -showcerts -verify_return_error "$@" \
                  </dev/null || exit 1
  }

The -verify_return_error option makes s_client return an exit code on cert validation failure. Then just loop over the hosts/ports you want to check, wrap the whole script in cronic/chronic to ignore output when it doesn't fail and bam no need for a service to do this. Just have to be able to interpert s_client output ;)

An example with dual stack IPv4/v6 https/smtp/imap support:

  for af in -4 -6; do
          for connect in \
                  www.example.org:443 \
                  \
                  mail.example.org:465 \
                  mail.example.org:993 \
                  ;
          do
                  check_tls $af -connect $connect
          done
  
          check_tls $af -starttls smtp -connect mail.example.org:25
          check_tls $af -starttls smtp -connect mail.example.org:587
          check_tls $af -starttls imap -connect mail.example.org:143
  done

Note that s_client doesn't check if the hostname passed is correct for the certificate it receives by default. To turn this on use the -verify_hostname option (https://www.openssl.org/docs/man3.0/man1/openssl-verificatio...)

discuss

No comments yet.