Show HN: Free Certificate Monitoring via RSS (opens in new tab)

(raphting.dev)

120 pointsraphting2y ago26 comments

26 comments

Cool! I have a strange affinity for RSS and created* a small plugin to subscribe to feeds within Event-Driven Ansible** and run actions on new feed posts. I didn't create it with specific utility in mind, certificate monitoring via RSS fits right in there - much to my surprise.

* - https://github.com/cloin/cloin.eda/blob/main/docs/rss.rst

** - https://github.com/ansible/ansible-rulebook

boricj2y ago

Neat!

Recently my Synology NAS failed to automatically renew its Let's Encrypt certificate for my domain name and the certificate expired on my blog. I caught it the next day when my GoAccess metrics cratered (took some time to figure out since I normally use the QuickConnect domain name myself, whose certificate was fine), but it could've stayed broken for a very long time otherwise without me noticing.

You got yourself a subscriber.

toomuchtodo2y ago

Does Let's Encrypt not provide alerting when a cert hasn't been refreshed successfully?

https://letsencrypt.org/docs/expiration-emails/

boricj2y ago

I did get an email, but it was triaged under the update category inside Gmail and thus buried under a metric ton of other updates (the account is over 14 years old and it has accumulated a lot of crap over the years).

That's totally on me for missing it. On the other hand I only follow a couple of RSS feeds, so it's a notification channel with a far higher signal-to-noise ratio for me.

nacs2y ago

They do and it has saved me a couple of times.

Even though the renewal app runs as a cron job weekly, it occasionally breaks due to OS updates or some other issue so the email from Lets encrypt that warns me at least a week or before the expiration has been fantastic.

ThePowerOfFuet2y ago

QuickConnect has had serious security issues in the past, and I recommend very strongly against enabling or using it.

boricj2y ago

I've disabled it just now. I was basically only using it as an alias anyways.

I did take some very basic precautions otherwise (its firewall is configured to drop all non-local packets but for TCP ports 80 and 443), but at some point I'll have to host my blog properly instead of piggy-backing on a dinky, always-on NAS...

Pathogen-David2y ago

Love the concept! It'd be cool if it was self-hostable, it'd be nice for monitoring certs in my homelab.

dapreee2y ago

https://github.com/google/certificate-transparency-go

This is what I use for my monitoring solutions

justsomehnguy2y ago

You monitor for the failures ($currentDate > $cert.NotAfter), great.

What about soft failures, like connection problems? What if the cert is available but actually garbage? What if between 30 and 7 days the cert is changed?

And no, not checking FQDN against SAN is...

And finally, who monitors the monitoring?

jackhalford2y ago

No need to be snarky, clearly monitoring end user connections is a must. But the general idea of using RSS for monitoring is new to me, thanks for sharing!

gry2y ago

Fantastic. I love when someone stitches existing tools to solve a problem in a novel and elegant way.

dewey2y ago

For transparency monitoring there's also https://crt.sh/?q=news.ycombinator.com which doesn't need a login, is free and has RSS support.

mmsc2y ago

I used crtsh to discover certificates which were created in my previous company but I found about 20% of the time it returns some type of error (which is recoverable with a simple retry). Not sure if they fixed that, but I wouldn’t be surprised if a lot of companies use them and even profit from it somehow.

raphtingOP2y ago

Awesome, thank you!

rabbitofdeath2y ago

Uptime Kuma can also monitor certificate expiration; you can also enable it to show you how many days are left until it expires.

https://github.com/louislam/uptime-kuma

smolBobbyTables2y ago

Hey. Thanks for making this. It really solves this silly use-case I have for certs that I can never get automated management going.

I have to submit a change request to get this added to our monitoring platform, and this is just so much simpler.

Thank you!

devsda2y ago

Interesting. Choice of rss is nice because there are already a good number of "convert/insert rss into x" tools that can be used to generate other modes of monitoring/alerts.

crtasm2y ago

Love it! A parameter to pick which notifications would be appreciated, e.g. I might only want the 1 day in advance.

And perhaps also specifying a port, for services not on 443?

Neil442y ago

I use Nagios to warn on cert expirations. Things should auto renew yes, but this catches the times that they don't.

LorenDB2y ago

Super neat tool, but given that I use Caddy, that kinda prevents this issue from happening for me. While a monitoring tool is always a good idea, maybe the best long-term solution would be to encourage certificate auto-renewal tools. OTOH, I have only worked with this on a personal level, so maybe there's problems with auto-renewal that I haven't learned about.

akerl_2y ago

I auto renew all my certs via either AWS ACM or lego.

I also have monitoring that alerts me if a cert is nearing expiry.

I’ve been alerted several times and been able to correct bugs or hiccups that would have caused the live cert to expire.

Automation is not a replacement for monitoring: they are complementary.

philsnow2y ago

> Automation is not a replacement for monitoring: they are complementary

absolutely. there are any number of reasons Caddy would be unable to renew the cert, just off the top of my head:

- LetsEncrypt has downtime or unavailability

- If you're doing dns-01 challenges for LE, whatever cred Caddy uses for that might expire / become invalidated.

- disk fills up (or gets unexpectedly remounted read-only) and Caddy is unable to write the renewed certs

divbzero2y ago

Are there still instances where you would want an Extended Validation (EV) certificate? If so, that’s one case where certificate monitoring could be relevant.

Browsers today no longer provide visual indicators for EV certificates [1] so I don’t know if they’re still in common use.

[1]: https://en.wikipedia.org/wiki/Extended_Validation_Certificat... "Removal of special UI indicators"

matrss2y ago

> Are there still instances where you would want an Extended Validation (EV) certificate?

Not really.

> [...] I don’t know if they’re still in common use.

They are. The myth that they are somehow inherently more secure is still widespread.

xofer2y ago

> No guarantees are given, for nothing

This is a double negative. Depending on how you interpret the comma, it could mean "guarantees are given for everything." (Pointing this out in case you intend to protect yourself from liability with this statement.)

1 more reply

j / k navigate · click thread line to collapse

26 comments

cloin2y ago

* - https://github.com/cloin/cloin.eda/blob/main/docs/rss.rst

** - https://github.com/ansible/ansible-rulebook

boricj2y ago

Neat!

You got yourself a subscriber.

toomuchtodo2y ago

Does Let's Encrypt not provide alerting when a cert hasn't been refreshed successfully?

https://letsencrypt.org/docs/expiration-emails/

boricj2y ago

That's totally on me for missing it. On the other hand I only follow a couple of RSS feeds, so it's a notification channel with a far higher signal-to-noise ratio for me.

nacs2y ago

They do and it has saved me a couple of times.

ThePowerOfFuet2y ago

QuickConnect has had serious security issues in the past, and I recommend very strongly against enabling or using it.

boricj2y ago

I've disabled it just now. I was basically only using it as an alias anyways.

Pathogen-David2y ago

Love the concept! It'd be cool if it was self-hostable, it'd be nice for monitoring certs in my homelab.

dapreee2y ago

https://github.com/google/certificate-transparency-go

This is what I use for my monitoring solutions

justsomehnguy2y ago

You monitor for the failures ($currentDate > $cert.NotAfter), great.

What about soft failures, like connection problems? What if the cert is available but actually garbage? What if between 30 and 7 days the cert is changed?

And no, not checking FQDN against SAN is...

And finally, who monitors the monitoring?

jackhalford2y ago

No need to be snarky, clearly monitoring end user connections is a must. But the general idea of using RSS for monitoring is new to me, thanks for sharing!

gry2y ago

Fantastic. I love when someone stitches existing tools to solve a problem in a novel and elegant way.

dewey2y ago

For transparency monitoring there's also https://crt.sh/?q=news.ycombinator.com which doesn't need a login, is free and has RSS support.

mmsc2y ago

raphtingOP2y ago

Awesome, thank you!

rabbitofdeath2y ago

Uptime Kuma can also monitor certificate expiration; you can also enable it to show you how many days are left until it expires.

https://github.com/louislam/uptime-kuma

smolBobbyTables2y ago

Hey. Thanks for making this. It really solves this silly use-case I have for certs that I can never get automated management going.

I have to submit a change request to get this added to our monitoring platform, and this is just so much simpler.

Thank you!

devsda2y ago

Interesting. Choice of rss is nice because there are already a good number of "convert/insert rss into x" tools that can be used to generate other modes of monitoring/alerts.

crtasm2y ago

Love it! A parameter to pick which notifications would be appreciated, e.g. I might only want the 1 day in advance.

And perhaps also specifying a port, for services not on 443?

Neil442y ago

I use Nagios to warn on cert expirations. Things should auto renew yes, but this catches the times that they don't.

LorenDB2y ago

akerl_2y ago

I auto renew all my certs via either AWS ACM or lego.

I also have monitoring that alerts me if a cert is nearing expiry.

I’ve been alerted several times and been able to correct bugs or hiccups that would have caused the live cert to expire.

Automation is not a replacement for monitoring: they are complementary.

philsnow2y ago

> Automation is not a replacement for monitoring: they are complementary

absolutely. there are any number of reasons Caddy would be unable to renew the cert, just off the top of my head:

- LetsEncrypt has downtime or unavailability

- If you're doing dns-01 challenges for LE, whatever cred Caddy uses for that might expire / become invalidated.

- disk fills up (or gets unexpectedly remounted read-only) and Caddy is unable to write the renewed certs

divbzero2y ago

Are there still instances where you would want an Extended Validation (EV) certificate? If so, that’s one case where certificate monitoring could be relevant.

Browsers today no longer provide visual indicators for EV certificates [1] so I don’t know if they’re still in common use.

[1]: https://en.wikipedia.org/wiki/Extended_Validation_Certificat... "Removal of special UI indicators"

matrss2y ago

> Are there still instances where you would want an Extended Validation (EV) certificate?

Not really.

> [...] I don’t know if they’re still in common use.

They are. The myth that they are somehow inherently more secure is still widespread.

xofer2y ago

> No guarantees are given, for nothing

1 more reply

j / k navigate · click thread line to collapse