mogensen/cert-checker mogensen/cert-checker

  • Stars
    star
    100
  • Rank 340,703 (Top 7 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created almost 4 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mogensen/cert-checker
github

mogensen

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Certificate monitoring utility for watching tls certificates and reporting the result as metrics.

cert-checker

Build Status Go Report Card codecov

cert-checker is a certificate monitoring utility for watching tls certificates. These checks get exposed as Prometheus metrics to be viewed on a dashboard, or soft alert cluster operators.

This tool is heavily inspired by the awesome version-checker by jetstack.

Table of contents

Table of contents generated with markdown-toc

Features

Testing for Certificate Errors

cert-checker supports the following types of certificate errors (and possible more):

  • Expired certificates
  • Wrong host
  • Bad root certificates
  • Revoked certificate
  • Cipher suites not allowed
    • dh480
    • dh512
    • null
    • rc4

If cert-checker finds any certificate errors, these are displayed on the Grafana dashboard.

Testing for minimal TLS Version

cert-checker checks the minimum supported SSL/TLS version for the endpoints.

The following SSL/TLS versions are tested:

  • SSL 3.0 - Deprecated in 2015
  • TLS 1.0 - Deprecated in 2020
  • TLS 1.1 - Deprecated in 2020
  • TLS 1.2
  • TLS 1.3

See Transport Layer Security for more info.

The minimum supported versions are displayed on the Grafana dashboard.

Permissions

A great bonus of how the cert-checker is implemented is that it can run without root, and without CAP_NET_RAW capability. And without Administrator privileges in Windows.

Installation

cert-checker can be installed as a standalone static binary from the release page

latest release

Create a config file like the below example:

config.yaml:

loglevel: debug
port: 8080  # Optional
intervalminutes: 10
certificates:
    - dns: google.com
    - dns: expired.badssl.com
./cert-checker -c config.yaml
DEBU[2021-05-17T17:27:44+02:00] Probing all
INFO[2021-05-17T17:27:44+02:00] serving ui on 0.0.0.0:8081
INFO[2021-05-17T17:27:44+02:00] serving metrics on 0.0.0.0:8080/metrics
DEBU[2021-05-17T17:27:44+02:00] Probing: google.com
...
# Now open browser at:
#   -  http://localhost:8081/
#   -  http://localhost:8080/metrics

Run in Docker

You can use the published docker image like this:

First create a config file as above, or download the demo file:

curl https://raw.githubusercontent.com/mogensen/cert-checker/main/config.yaml -O
# Start docker container (mounting the config file may be different on OSX and Windows)
docker run -p 8081:8081 -p 8080:8080 -v ${PWD}/config.yaml:/app/config.yaml mogensen/cert-checker:latest
# Now open browser at:
#   -  http://localhost:8081/
#   -  http://localhost:8080/metrics

See released docker images on DockerHub

Using docker-compose

This repository contains an example of deploying the entire Prometheus, Grafana and cert-checker stack, using docker-compose.

cd deploy/docker-compose/
docker-compose up -d
Service URL
cert-checker ui endpoint http://localhost:8081/
cert-checker metrics endpoint http://localhost:8080/metrics
Prometheus example query http://localhost:9090/graph?g0.expr=cert_checker_expire_time{}&g0.tab=0
Grafana Dashboard http://localhost:3000/d/cert-checker/certificate-checker

Remember to edit the deploy/docker-compose/cert-checker/config.yaml with the actual domains you want to monitor..

See stefanprodan/dockprom for more Prometheus, Grafana, AlertManager examples using Docker-compose

In Kubernetes as static manifests

cert-checker can be installed as static manifests:

$ kubectl create namespace cert-checker

# Deploy cert-checker, with kubernetes services and demo configuration
$ kubectl apply -n cert-checker -f deploy/yaml/deploy.yaml

# If you are using the Grafana sidecar for loading dashboards
$ kubectl apply -n cert-checker -f deploy/yaml/grafana-dashboard-cm.yaml

# If you are using the Prometheus CRDs for setting up scrape targets
$ kubectl apply -n cert-checker -f deploy/yaml/servicemonitor.yaml

Remember to edit the configmap with the actual domains you want to monitor..

Helm

cert-checker can be installed as as helm release:

$ kubectl create namespace cert-checker
$ helm install cert-checker deploy/charts/cert-checker --namespace cert-checker

Depending on your setup, you may need to modify the ServiceMonitor to get Prometheus to scrape it in a particular namespace. See this.

You may also need to add additional labels to the ServiceMonitor. If you have installed the prometheus-community/kube-prometheus-stack with the name of prometheus the following should work:

$ helm upgrade cert-checker deploy/charts/cert-checker \
    --namespace cert-checker            \
    --set=grafanaDashboard.enabled=true \
    --set=serviceMonitor.enabled=true   \
    --set=serviceMonitor.additionalLabels.release=prometheus

Kustomize

cert-checker can be installed using kustomize:

Create a kustomization.yaml file:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-checker
resources:
- github.com/mogensen/cert-checker/deploy/yaml
# optionally pin to a specific git tag
# - github.com/mogensen/cert-checker/deploy/yaml?ref=cert-checker-0.0.6

# override confimap with your required settings
patchesStrategicMerge:
- |-
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cert-checker
      namespace: cert-checker
    data:
      config.yaml: |
        loglevel: info
        intervalminutes: 60
        certificates:
            - dns: my-very-own-domain.com

Use the kustomization.yaml file to preview and deploy cert-checker:

$ kustomize build kustomization.yaml | less # preview yaml manifests
$ kustomize build kustomization.yaml | kubectl apply --dry-run=client -f - # dry-run apply manifests
$ kustomize build kustomization.yaml | kubectl apply -f - # deploy manifests

Web dashboard

By default, cert-checker will expose a web ui on http://0.0.0.0:8081/.

Web dashboard

Metrics

By default, cert-checker will expose the version information as Prometheus metrics on http://0.0.0.0:8080/metrics.

Grafana Dashboard

A Grafana dashboard is also included in this repository. It is located in the deployment folder: deploy/yaml/grafana-dashboard-cm.yaml

Grafana Dashboard

The dashboard shows the following

  • Number of Broken Certificates
  • Number of Certificates about to expire
  • Number of Good Certificates
  • A list with Certificates with errors
  • A list of Certificates Expirations for valid certificates
  • Minimum TLS versions supported

The conventions used on the dashboard are:

  • Red (text or background): Something is broken, and should be fixed!
  • Orange (text or background): Something smells, and should properly be fixed!
  • Green (text or background): All is good! Go drink coffee!

Options

By default, without the flag -c, --config, cert-checker will use a config file located next to the binary named config.yaml.

This is currently the only flag / option available.

$ cert-checker -h
Certificate monitoring utility for watching tls certificates and reporting the result as metrics.

Usage:
  version-checker [flags]

Flags:
  -c, --config string   config file (default is config.yaml) (default "config.yaml")
  -h, --help            help for version-checker

Development

Test the full setup in Kubernetes with Prometheus and Grafana dashboards:

# First create a new kind cluster locally, and install prometheus
make dev-kind-create
# Build a docker image, load it into kind and deploy cert-checker and promeheus/grafana stuff
make image dev-kind-install

Access the local infrastructure here:

System URL
Prometheus http://prometheus.localtest.me/graph?g0.expr=cert_checker_is_valid&g0.tab=1&g0.stacked=0&g0.range_input=1h
Grafana http://grafana.localtest.me/d/cert-checker/certificate-checker
Build-in dashboard http://cert-checker.localtest.me/

More Repositories

1

kubernetes-split-yaml

Split the 'giant yaml file' into one file pr kubernetes resource
Go
97
star
2

keychain

Bash script to access the osx keychain, for use in shell scripts.
Shell
77
star
3

helm-changelog

Create changelogs for Helm Charts, based on git history
Go
39
star
4

xls2csv

A script to convert excel spreadsheets to CSV files on OSX, using AppleScript and Excel
10
star
5

docker-handson-training

CSS
9
star
6

docker-swarm-meetup

Exercises that walks a new developer through setting up and using docker swarm for the first time.
6
star
7

go-git-open

This is an extension for the git-cli, that allows you to open any git repository in your browser. Just type 'git open' to open the repo website.
Go
3
star
8

Blink

blinking app for the Telosb mote in TinyOS
C
2
star
9

ping-monitor-dashboard

Shell
2
star
10

vcardCreator

Can create a vCard version 3.0 file from an excel file, using Applescript and perl.
AppleScript
2
star
11

KarakterTjek

Shell
2
star
12

Textreactor

A python script to allow a user to send SMS's from the command line using the Textreactor.com API
Python
1
star
13

hwinfo

A collection of scripts to show the status of the hardware, batteries, network data ect.
Shell
1
star
14

cloud-security-presentation

A small collection of examples of tools for use in securing a cloud native environment
HCL
1
star
15

crypto

An assembly off scripts that encrypts and decrypts text..
1
star
16

LaTeX-libs

1
star
17

bash

Shell
1
star
18

vimFiles_old

Vim Script
1
star
19

auCalendar

Script to get all events for the different rooms from the AU calendar.
PHP
1
star
20

FTDI2keystroke

A script to generate keystrokes from FTDI devices, communication on serial /dev/cu.xxxxxxx
Shell
1
star
21

loebs--n--posts

en online sms loebs ting
JavaScript
1
star
22

dotjs

A collection of javascript files to be used with the Google Chrome browser extension `dotjs`.
1
star