It’s almost 2023 and we still see websites with expired certificates, but how can this happen?
While most of the popular Certificate Authorities offer automatic renewal, there are still situations where we have to rely on manual steps, and consequently in possible human errors. So, how can we monitor the health of our certificates and get notified if any actions have to be taken?
In this post, I’m presenting a simple serverless solution that periodically checks the SSL certificate of a set of websites and sends an email notification in case the certificate is expired or close to expiration.
This solution is based on CDK and can be deployed on any AWS account. It creates an EventBridge Scheduled Event fired every 30 minutes, which triggers an AWS Lambda function.
The function checks the validity of the certificate with the following code:
def main(event, _):
exit_with_error = False
domains = os.environ.get("DOMAINS").split(sep=",")
context = ssl.create_default_context()
for domain in domains:
with socket.create_connection((domain, '443')) as sock:
with context.wrap_socket(sock, server_hostname=domain) as ssl_sock:
cert_data = ssl_sock.getpeercert()
exp = datetime.strptime(cert_data['notAfter'], '%b %d %H:%M:%S %Y GMT')
delta = exp - datetime.utcnow()
print (f'domain [{domain}] still [{delta.days}] days left before expiration')
if delta.days <= EXPIRATION_THRESHOLD_DAYS:
print (f'domain [{domain}] must be renewed')
exit_with_error = True
if exit_with_error:
sys.exit(-1)
If any of the certificates is expired or 14 days from the expiration, the function exits with an error, triggering a CloudWatch alarm, which fires an SNS topic that sends an email to the configured address.
The full source code can be found in this GitHub repository.
I hope this can be of any help 😄!
