SSL/TLS Certificate Monitor
This module can be used as a stand-alone CLI utility or integrated with a third party monitoring service combined with AWS Lambda.
Stand-Alone CLI
(TODO: provide bash wrapper/install into /usr/local)
$ node index.js --helpUsage: node index.js [--urlsfrom file] [url] --help This message --urlsfrom filename File to read newline separated urls --cafile filename Use separate CA file to confirm authority --date date Specify the date to check against
- Check a single URL and process the output via Bunyan:
$ node index.js https://google.com | ./node_modules/.bin/bunyan[2017-11-23T19:52:53.414Z] INFO: certificate-monitor/37777 on Tethys: Checking: Url
- Check multiple URLs using a file with line-separated URLs by passing the name of the file via
--urlsfrom
- By default, the
date_warning
will check 30 days in advance and will be true if the detected SSL certificate is going to expire within that time period. You can specify different numbers of days via--days
. You can specify a particular date to test from via--date
Arbitrary API setup
const cm = ;cm;
certInfo
will contain information about the certificate and when it will expire/has expired.
AWS API and Lambda Integration
$ make lambda
Creates certificate-monitor-hash.zip. Upload this to your Lambda function and deploy it, e.g. certificate-monitor-917a41b.zip
Create an API end-point in AWS that points to this Lambda function. API Gateway proxy setup
See lambda.js
for the response sent back via the AWS API Proxy.
Upload the certificate-monitor-hash.zip that you've created to the Lambda function.
Invokation/testing using cURL:
$ curl -X POST -d '{ "urlList": [ "https://google.com" ] }' https://#########.execute-api.us-east-1.amazonaws.com/prod/certificate-monitor{"https://google.com":{"ssl_ok":true}}
Pingdom Integration and AWS Lambda
Post Body example:
Response should look like:
{
"headers": {...},
"statusCode": 200,
"body": "{\"https://google.com\":{\"ssl_ok\":true}}"
}
ssl_ok
translates into a check on if the SSL certificate will expire within the next 30 days and if the certificate appears to pass CA checks. If either one of these fails, then ssl_ok
will be false.
If you wish to check multiple domains via one uptime pingdom check, you can add more to the urlList
, e.g. ["https://google.com", "...",...]
and then check that the returned result does not contain "ssl_ok":false