This application allows you to check SSL certificate expiry in bulk. The application is a nodejs script that can run within the New Relic Synthetics minion. The terraform package allows you to easily deploy the application to your account, it automates provisioning of of the synthetic, secure credentials, posture dashboards. You may also simply copy and paste the script if you do not want to use terraform.
The targets to test are provided by calling the function getTargets(). You can provide the payload of this function which may return static data or if you like you can request dynamic data to be used via an API call. Targets are expected to be in the following JSON format:
[
{
"name":"BBC News"
"domain":"news.bbc.co.uk"
},
{
"domain":"foo.com",
"hosts": [
"111.222.333.444",
"555.666.777.888",
]
},
{
"domain":"bam.com",
"timeout": 10000,
"hosts": [
"111.222.333.444",
"555.666.777.888",
]
},
{
"domain":"self-signed-cert.com",
"allowUnauthorized": true
},
{...}
]
name
: Optional - Friendly Name of the site being testeddomain
: Required - The domain name to testhosts
: Optional - An array of IP addresses to test, skipping DNStimeout
: Optional - miiliseconds timeout (default 5000)allowUnauthorized
: Optional - iftrue
then cert will not be validated against CA (useful for self-signed)
You can either user the terraform deployment method (detailed here) or the simpler copy and paste method (see below). The teraform deployment sets up the synhtetic monitor, secure credentials and monitoring dashbaord.
- Checkout the repo
- Copy
runtf.sh.sample
toruntf.sh
and add your API keys terraform init
to initialise./runtf.sh apply
to deploy to New Relic.
- API Keys -
./terraform/runtf.sh
- Target Data Sources -
./terraform/main.tf
- Thresholds and timeouts -
./terraform/modules/sslchecker/modules/sslminion/src/synthetic.js
(built)
The boilerplate example references static_small.js from main.tf
which is a small java script funciton that defines the SSL (TLS) domains to test. There are some other exmaples here of how to specify these. You can event query an API to drive the configuration as demonstrated in api-driven.js.
The application comes with a built in dashboard. Set up alerts as you require.
This is the simplest way to get started, you wil need to manualy create you synthetic monitor.
Copy and paste the copy-paste-example.js
into a Scripted API synthetic monitor. You will need to provide an ingest API key (prefereably via a secure credential) and define your getTargets() function. Refer to the example scripts for configuration ideas.
You may wish to be alerted if your certificates are about to expire. The script will assert a failure if the number of days remaining for any target is below that configured by the WARNING or CRITICAL thresholds specified in the script.
If you deployed using terraform you will find a dashbaord that lets you explore the data easily. If not you may explore the data manually using NRQL. The following data is available:
The summary information about each run of the script is stored as custom attributes against the SyntheticCheck event type. This includes the total number of critical and warning errors amongths other useful meta data. You can query this for example:
SELECT latest(custom.criticalErrors), latest(custom.warningErrors) from SyntheticCheck where monitorName = 'your-monitor-name'
Data about each target is recorded as a metric in the Metric event type called {NAMESPACE}.days
. The name of the metric varies depending on the value set for NAMESPACE
for which the default is SSLCHKR
. The data includes dimensional meta attributes for each target including issuer and expir date. You can query the data as follows:
SELECT getField(SSLCHKR.days, 'latest') as 'Days Left', * from Metric where tool='SSLCHKR'