Cool! I have a strange affinity for RSS and created* a small plugin to subscribe to feeds within Event-Driven Ansible** and run actions on new feed posts. I didn't create it with specific utility in mind, certificate monitoring via RSS fits right in there - much to my surprise.<p>* - <a href="https://github.com/cloin/cloin.eda/blob/main/docs/rss.rst">https://github.com/cloin/cloin.eda/blob/main/docs/rss.rst</a><p>** - <a href="https://github.com/ansible/ansible-rulebook">https://github.com/ansible/ansible-rulebook</a>
Neat!<p>Recently my Synology NAS failed to automatically renew its Let's Encrypt certificate for my domain name and the certificate expired on my blog. I caught it the next day when my GoAccess metrics cratered (took some time to figure out since I normally use the QuickConnect domain name myself, whose certificate was fine), but it could've stayed broken for a very long time otherwise without me noticing.<p>You got yourself a subscriber.
You monitor for the failures ($currentDate > $cert.NotAfter), great.<p>What about soft failures, like connection problems? What if the cert is available but actually garbage? What if between 30 and 7 days the cert is changed?<p>And no, not checking FQDN against SAN is...<p>And finally, who monitors the monitoring?
For transparency monitoring there's also <a href="https://crt.sh/?q=news.ycombinator.com" rel="nofollow">https://crt.sh/?q=news.ycombinator.com</a> which doesn't need a login, is free and has RSS support.
Uptime Kuma can also monitor certificate expiration; you can also enable it to show you how many days are left until it expires.<p><a href="https://github.com/louislam/uptime-kuma">https://github.com/louislam/uptime-kuma</a>
Hey. Thanks for making this. It really solves this silly use-case I have for certs that I can never get automated management going.<p>I have to submit a change request to get this added to our monitoring platform, and this is just so much simpler.<p>Thank you!
Interesting. Choice of rss is nice because there are already a good number of "convert/insert rss into x" tools that can be used to generate other modes of monitoring/alerts.
Love it! A parameter to pick which notifications would be appreciated, e.g. I might only want the 1 day in advance.<p>And perhaps also specifying a port, for services not on 443?
Super neat tool, but given that I use Caddy, that kinda prevents this issue from happening for me. While a monitoring tool is always a good idea, maybe the best long-term solution would be to encourage certificate auto-renewal tools. OTOH, I have only worked with this on a personal level, so maybe there's problems with auto-renewal that I haven't learned about.
> No guarantees are given, for nothing<p>This is a double negative. Depending on how you interpret the comma, it could mean "guarantees are given for everything." (Pointing this out in case you intend to protect yourself from liability with this statement.)