Command line tool to check the validity of SSL/TLS certificates using SSL Labs Test. Prints useful information about the certificates of each host.
Exits with error if the tests fail, the hostname can't be resolved or the host is unreachable. Can optionally be configured to fail if certificate is about to expire, or if it got a bad grade by the SSL Labs test.
This is primarily intended to be run periodically as a cron job,
ci/cd pipeline job etc that will send a notification in case of failure.
For example, one can create a Gitlab project with a very simple
.gitlab-ci.yml
that runs a check against managed websites,
configure a pipeline schedule to run it daily,
and turn on email or slack notifications for failed pipelines in this project.
Install the dependencies listed in requirements.txt
and just run
./ssl-check.sh --help
or use the docker image
docker run -it --rm dimrozakis/ssl-check ssl-check --help
Run ssl-check --help
to see a detailed list of options:
usage: ssl-check.py [-h] [-c HOURS] [-s SECS] [-t NUM] [-e DAYS]
[-g [GRADE [GRADE ...]]] [-p THREADS]
host [host ...]
Check SSL/TLS certificates of hosts using SSL Labs Scan
positional arguments:
host Specify a host to connect to.
optional arguments:
-h, --help show this help message and exit
-c HOURS, --cache-max-age HOURS
Use cached results with given age in hours. Zero
(default) will always trigger a test. (default: 0)
-s SECS, --sleep SECS
Sleep for that many seconds, between result requests
for each host. (default: 10)
-t NUM, --times NUM Attempt that many times to get results. (default: 60)
-e DAYS, --warn-expiration DAYS
Exit with error if certificate will expire in the
given number of days or less. (default: 10)
-g [GRADE [GRADE ...]], --grade [GRADE [GRADE ...]]
Exit with error if grade doesn't match the one
specified. Can be used multiple times to whitelist
multiple grades. For example, `-g A+ A A-` (default:
None)
-p THREADS, --parallel THREADS
How many host results should be queried in parallel.
If unset, it will run everything in parallel. Reduce
to avoid being blocked by SSL Labs. Set to 1 to run
everything serially. (default: 0)
Checking the certificates of github.com
and gitlab.com
,
using scans up to one hour old,
and failing for grades other than A
and A+
or if the certificate expires in less than 90 days.
In this case, the script exits with error because gitlab's certificates expire in less than 90 days.
docker run --rm dimrozakis/ssl-check ssl-check -g A+ A -e 90 -c 1 github.com gitlab.com
2021-02-19 00:59:19,682 INFO github.com: READY
2021-02-19 00:59:19,885 INFO gitlab.com: READY
2021-02-19 00:59:19,886 INFO Completed polling for results
2021-02-19 00:59:19,886 INFO github.com: OK, grade is A+, expires in 445 days
2021-02-19 00:59:19,886 ERROR gitlab.com: Certificate expires in 82 days
2021-02-19 00:59:19,886 ERROR gitlab.com: Certificate expires in 82 days
2021-02-19 00:59:19,886 INFO
+------------+-------+------------------------------------+------------------------------------------------------------------+------------------------------------------------+--------------------------------+-------------+--------------------------------+
| host | grade | ip | altNames | issuer | expires | tested | message |
+------------+-------+------------------------------------+------------------------------------------------------------------+------------------------------------------------+--------------------------------+-------------+--------------------------------+
| github.com | A+ | 140.82.113.3 | github.com, www.github.com | DigiCert SHA2 High Assurance Server CA | 2022-05-10 15:00 (in 445 days) | 7 hours ago | OK |
| gitlab.com | A+ | 2606:4700:90:0:f22e:fbec:5bed:a9b9 | gitlab.com, auth.gitlab.com, customers.gitlab.com, email.cust... | Sectigo RSA Domain Validation Secure Server CA | 2021-05-12 02:59 (in 82 days) | 9 hours ago | Certificate expires in 82 days |
| gitlab.com | A+ | 172.65.251.78 | gitlab.com, auth.gitlab.com, customers.gitlab.com, email.cust... | Sectigo RSA Domain Validation Secure Server CA | 2021-05-12 02:59 (in 82 days) | 9 hours ago | Certificate expires in 82 days |
+------------+-------+------------------------------------+------------------------------------------------------------------+------------------------------------------------+--------------------------------+-------------+--------------------------------+
2021-02-19 00:59:19,887 ERROR Exiting with errors