Ask HN: Do you still monitor your SSL certificate validity?
In light of SSLPing's shutdown (see https://news.ycombinator.com/item?id=30985514), I'm wondering:
Do many people still monitor their SSL certificates for expiry/validity, given certificate providers like AWS ACM handle refreshing certificates automatically?
(I run the 200th uptime monitoring service, and SSL validity checking doesn't seem to be a particularly high priority for my users, hence the question)
14 comments
[ 2.9 ms ] story [ 32.2 ms ] thread[1] - https://github.com/Neilpang/acme.sh.git
I guess it’s a low-hanging fruit (easy) external thing to monitor alongside the normal HTTP checks so I just throw it in there and keep an eye on it.
Over time I continue to delegate/offload things to external providers, like PaaS/IaaS services, SSL termination, logging etc, but I’m still ultimately responsible if any of my systems go down. It doesn’t really matter whether it happens to be my direct fault or that of the provider. So monitoring seems just as important. In fact there’s an argument for increasing monitoring the more you automate/delegate something. Otherwise you might lose sight of it altogether and only be abruptly reminded of it’s existence when something unexpected happens!
An example with dual stack IPv4/v6 https/smtp/imap support:
Note that s_client doesn't check if the hostname passed is correct for the certificate it receives by default. To turn this on use the -verify_hostname option (https://www.openssl.org/docs/man3.0/man1/openssl-verificatio...)We even monitor important (to us) external services' and FAANGs' certificates and services. We've surprised a number of external entities with "hey, the cert for $xyz expires tomorrow", including a popular fruit-based FAANG.
Also, check out the script in the other comment from dxld!
1. https://www.xymon.com
https://github.com/netdata/netdata
https://learn.netdata.cloud/docs/agent/collectors/go.d.plugi...