ssl-check

Command line tool to check the validity of SSL/TLS certificates using SSL Labs Test. Prints useful information about the certificates of each host.

Exits with error if the tests fail, the hostname can't be resolved or the host is unreachable. Can optionally be configured to fail if certificate is about to expire, or if it got a bad grade by the SSL Labs test.

This is primarily intended to be run periodically as a cron job, ci/cd pipeline job etc that will send a notification in case of failure. For example, one can create a Gitlab project with a very simple .gitlab-ci.yml that runs a check against managed websites, configure a pipeline schedule to run it daily, and turn on email or slack notifications for failed pipelines in this project.

Running

Install the dependencies listed in requirements.txt and just run

./ssl-check.sh --help

or use the docker image

docker run -it --rm dimrozakis/ssl-check ssl-check --help

Options

Run ssl-check --help to see a detailed list of options:

usage: ssl-check.py [-h] [-c HOURS] [-s SECS] [-t NUM] [-e DAYS]
                    [-g [GRADE [GRADE ...]]] [-p THREADS]
                    host [host ...]

Check SSL/TLS certificates of hosts using SSL Labs Scan

positional arguments:
  host                  Specify a host to connect to.

optional arguments:
  -h, --help            show this help message and exit
  -c HOURS, --cache-max-age HOURS
                        Use cached results with given age in hours. Zero
                        (default) will always trigger a test. (default: 0)
  -s SECS, --sleep SECS
                        Sleep for that many seconds, between result requests
                        for each host. (default: 10)
  -t NUM, --times NUM   Attempt that many times to get results. (default: 60)
  -e DAYS, --warn-expiration DAYS
                        Exit with error if certificate will expire in the
                        given number of days or less. (default: 10)
  -g [GRADE [GRADE ...]], --grade [GRADE [GRADE ...]]
                        Exit with error if grade doesn't match the one
                        specified. Can be used multiple times to whitelist
                        multiple grades. For example, `-g A+ A A-` (default:
                        None)
  -p THREADS, --parallel THREADS
                        How many host results should be queried in parallel.
                        If unset, it will run everything in parallel. Reduce
                        to avoid being blocked by SSL Labs. Set to 1 to run
                        everything serially. (default: 0)

Example usage

Checking the certificates of github.com and gitlab.com, using scans up to one hour old, and failing for grades other than A and A+ or if the certificate expires in less than 90 days.

In this case, the script exits with error because gitlab's certificates expire in less than 90 days.

docker run --rm dimrozakis/ssl-check ssl-check -g A+ A -e 90 -c 1 github.com gitlab.com

2021-02-19 00:59:19,682  INFO    github.com: READY
2021-02-19 00:59:19,885  INFO    gitlab.com: READY
2021-02-19 00:59:19,886  INFO    Completed polling for results
2021-02-19 00:59:19,886  INFO    github.com: OK, grade is A+, expires in 445 days
2021-02-19 00:59:19,886  ERROR   gitlab.com: Certificate expires in 82 days
2021-02-19 00:59:19,886  ERROR   gitlab.com: Certificate expires in 82 days
2021-02-19 00:59:19,886  INFO
+------------+-------+------------------------------------+------------------------------------------------------------------+------------------------------------------------+--------------------------------+-------------+--------------------------------+
|    host    | grade |                 ip                 |                             altNames                             |                     issuer                     |            expires             |    tested   |            message             |
+------------+-------+------------------------------------+------------------------------------------------------------------+------------------------------------------------+--------------------------------+-------------+--------------------------------+
| github.com |   A+  |            140.82.113.3            |                    github.com, github.com                    |     DigiCert SHA2 High Assurance Server CA     | 2022-05-10 15:00 (in 445 days) | 7 hours ago |               OK               |
| gitlab.com |   A+  | 2606:4700:90:0:f22e:fbec:5bed:a9b9 | gitlab.com, auth.gitlab.com, customers.gitlab.com, email.cust... | Sectigo RSA Domain Validation Secure Server CA | 2021-05-12 02:59 (in 82 days)  | 9 hours ago | Certificate expires in 82 days |
| gitlab.com |   A+  |           172.65.251.78            | gitlab.com, auth.gitlab.com, customers.gitlab.com, email.cust... | Sectigo RSA Domain Validation Secure Server CA | 2021-05-12 02:59 (in 82 days)  | 9 hours ago | Certificate expires in 82 days |
+------------+-------+------------------------------------+------------------------------------------------------------------+------------------------------------------------+--------------------------------+-------------+--------------------------------+

2021-02-19 00:59:19,887  ERROR   Exiting with errors