It seems I’ll never buy a certificate again

Let’s Encrypt still surprises me on how well its servers work. I’ve never noticed it being unavailable, which wonders me as it is a free service (backed by some “big tech”, sure), no profit intended, as a Certificate Authority which was responsible for some breakthroughs. Not only it was the first free CA to really catch on (remember startcom?), but it debuted the ACME protocol. There is this zerossl that seems to want to make a market with the Let’s Encrypt model, but it is always be harder for me to trust a for profit service. I hope Let’s Encrypt keeps going for very long, and it seems it will.

Either way, with free certificates comes great responsibility, or something along these lines. The certificates last 3 months each, so depending on how many systems you have, manually renewing each is not feasible. Quite a few tools support the ACME protocol nowadays (shoutout to acme.sh, which I like a lot, but am skeptical about the zerossl becoming default thing…). You need to set up your tool and pray so that it keeps working forever, which it would never.

Surely that’s not the case, as you get renewal alerts if you do not renew within about 60 days (depending on how you’ve set up your account), as well as your tool might have an alerting function available. These are not great options for me, and losing renewals did bit me more times than I would like it (it’s tough when you simply forget a renewal because you have managed to automate every single other one, so that renewals go out of your routine). Right now I have actually solved all my manual renewals, even though I think I could step up quite a bit more yet, before considering this subject over, so now comes an interesting problem to solve. I need to check if all the renewals are still going well (the ACME v1 expiration remembered me of that), and I’m surprised that that there is not yet a very cool, libre, monitoring daemon with a cool dashboard running on linux (let me know if I lost this one).

letsrenew

So before a whole year passes without a new post here, let’s share the last tool I have built. letsrenew. It is a very simple script I have remade (more on that later) that will download a certificate in use on your website and verify its validity. With Let’s Encrypt you will most likely renew the cert every 60 days, giving you 30 days of headroom to solve any potential issues with the renewal process before having no valid certificate anymore. I’ll just comment that this validity should be as short as possible, trying not to diverge much from the current topic (I wonder if you can still make sense from my text, as I am running away from the subject all the time, in all posts). Combine that with your favorite alerting script/function/feature/service/whatever and you’re almost there!

The second part it does is allowing you to manipulate the socket of the connection (which can be translated as being able to redirect the connection to other server or port) that will request the certificate. This allows you to get through SSL terminators, like Cloudflare or other proxies, and verify the certificates all the way to the last TLS endpoint (still, REMEMBER TO BLOCK EXTERNAL TRAFFIC IF YOU USE SIMILAR SERVICES). Simply opening your website in your browser would only allow you to check the most external certificate, which might not even be issued by your own automation. If you still can’t see the utility of this, well, get many websites running, issue many certificates for them, put them behind other servers with different certificates and try to monitor the certificates on the back without a similar tool. If you don’t kill yourself, or worse, delete your hosts file, go get letsrenew to have your soul back.

I am aware that that I should make my own simple telegram message sender, but I suggest you use telegram-send along with letsrenew, in a cronjob, to get the most of what the tool is doing right now. It has been a couple hours hacking product, but still a very useful one for me, and I hope you can solve problems with it too.

what about v-1?

About the remade thing I said (you didn’t even remember, did you?). I actually was writing this tool before (a few years ago), and wonder if I just couldn’t find the libs I’ve used this time, or if they really weren’t there yet, but I had made almost all the same features by importing the C version of openssl into my python to reading the certificate info. It’s pretty cool that you can do that in python, and it actually enlightened me on using a cryptography library at a lower level than I’m used to. If that didn’t complicate the script so much, I’d actually go back to that approach. Things can get raw the lower you go =)

Until the next one!