Say ‘no’ to expiring SSL certificates
I’m launching haveibeenexpired.com publicly! This is a short tour of the app itself, its inner workings, and some ideas for the future.
A two-months long journey is coming to the point where what I’ve built needs to be kicked out of the door. I described my experiences working on this project in my previous posts. This time, I’m providing a written ‘guided tour’ of this super-simple app.
First of all, there’s a lot to gain from the app without even signing up. If you have a premonition concerning an SSL certificate of any website, just type its name and check for its expiration. You’ll also see the expected expiration of the domain registration for your website.
You’ll also notice a list of related websites you may be interested in checking:
jss.medium.com, link.medium.com, read.medium.com … in the screenshot above. Following these links will show you the SSL certificate and domain registration details for their respective websites.
That’s about it for the non-signed-up experience. You are welcome to test as many websites as you’d like!
The app uses Google to identify users. It will only ask for your name and email so it can identify you from now on. Your email may be used for notifications in the future, but not right now.
Start Monitoring Now or
Sign in with Google in the top right corner of the page, approve that you are ok with Google letting us know your email, and you’re in.
On the Dashboard view you’ll see the domains and hosts that the service is tracking for you. You will only see the ones that are closest to their expiration. Therefore, if the top line for both domains and hosts has a far-away expiration timestamp, you’re good to go — no surprises are expected!
The alert at the top will gently nudge you to add a Slack webhook. Do so in order to receive timely notifications — I don’t really expect you to come back and check in on your dashboard every now and then. Let it do the work for you! More about this will be explained in the Account view.
This is a good time to explain what
hosts are. Domains are a way to carve out a ‘neighbourhood’ on the Internet, owning a certain range of addresses such as anything that ends with
google.com or similar. Domains need to be registered, and their registration period will usually have a term. You don’t want your domain registration to expire, as it can lead to your ‘neighbourhood’ being removed from the map for everyone else. The app tracks domains for expiration of registration.
Hosts are specific addresses in a given ‘neighbourhood’, where you can ask for content and see what they serve. Think about
adrukh.medium.com belonging to the
medium.com domain. Hosts serve content, and to do so securely, they employ encryption by using SSL certificates. An SSL certificate states which host(s) it was issued for, since when and until when it is valid, and more. You don’t want your SSL certificate to be used after its expiration, as it will prevent users from connecting securely with your host. The app tracks hosts for SSL certificate expiration.
The slightly confusing part is that a domain can be also be a host. That’s ok, the app will present such names twice — once in the domains list, and once in the hosts list.
The app uses domains to mark ‘areas of interest’. If you work for
acme.com, and you care about SSL certificates at work, it is likely that any SSL certificate served by a host belonging to the
acme.com domain would interest you.
bar.acme.com and so on. But you may not know about all the publicly available hosts in your domain, nor do you want to add an extra step every time a new host is created (such as
baz.acme.com), and keep your account updated. This is where the magic happens!
SSL certificates have two properties that help discover new and existing certificates and hosts. One is the subject alternative names, where a single certificate can be used by many different hosts. For example,
foo.acme.com may serve a certificate with both
bar.acme.com embedded in it, letting us know that
bar.acme.com is also a viable host in the
acme.com domain. The other property is a ‘public trace’ left by almost every SSL certificate that is being published. Some services publish this information for free use, such as crt.sh. Try searching for
medium.com or any other domain, and you’ll see a list of recently published SSL certificates within that domain.
By employing these two properties, your account learns more and more about the SSL certificates you should be aware of, accumulating more data on your behalf, and keeping track of as much as it can for your benefit. The only thing you need to provide is to state the domains that interest you, and let the system do its thing. Within a few minutes you’ll see more and more hosts being discovered and automatically added to your account. All hosts are being monitored for SSL certificate expiration by design.
Clicking on the Hosts link in the nav bar will take you to the view above. Here you can see all the hosts that are being monitored in your account. They are ordered by expiration date, from the earliest to the latest. You can paginate through the entire list. Filtering the list via the Search box will only show hosts with the search term appearing in their name.
At the end of the list you’ll find hosts that cannot be tested for some reason. An error message will appear next to them, explaining the problem. In the example above,
no.such.host.com cannot be tested as there is no such DNS entry. It’s perfectly fine to monitor such hosts — you never know when they may appear for real, and start serving SSL traffic.
Use the Add box at the bottom of the table to add new hosts manually. You can add any name, as long as it matches the hostname format. While auto-detection of new hosts is bound to your domains list, adding new hosts manually is not. You are welcome to add any host that you want to be notified about. Having hosts outside of your domains list will not lead to auto-detection of hosts outside of your domains list.
Use the checkboxes on each host row to select and delete host you are no longer interested in monitoring. Do note that deleting hosts which belong to any of your domains list is likely to be reverted by the auto-detection process, and the host will be re-added in the future.
The domains view has a very similar structure to the hosts view. Here you can filter and add new domains.
Note that deleting a domain is interpreted as dis-interest in the domain itself AND any related hosts. Such action will also remove all hosts belonging to this domain from your account. If you deleted a domain by mistake, do not fret — re-adding this domain will add it to the auto-detection process, and its hosts will be re-discovered and added to your account with time.
Click you avatar in the top right corner, and choose Account. You can see your account details as provided by Google. Changing these details is an action you can perform with Google directly, hence the disabled view here.
Next is the Slack webhook integration. I believe that SSL certificate monitoring is a team effort, and the notifications are best suited for Slack channels than email inboxes. Follow the instructions link to generate a webhook URL and set it here. You will receive a test message once the URL is applied for the first time:
This is what an occasional notification would look like:
Should you choose to undo the Slack integration, the following Slack message will confirm your action:
The notification policy is quite simple right now. Any monitored SSL certificate crossing the line between ‘more than 4 weeks till expiration’ and ‘less than 4 weeks till expiration’ will trigger a single notification, in case the account has an active Slack integration. That’s it!
The last part on the Account page allows you to delete your account. Off-boarding from the app should be as simple as on-boarding. So if you feel you are better off without the app, go ahead and delete your account. The app will forget everything about your personal details, and will disconnect the Slack integration if you had one set up. You are always welcome to sign up again if you wish.
This turned out to be quite a busy Minimum Viable Product for the launch! There’s much planned ahead, such as API access to the monitored domains and hosts, email based and custom webhook based notifications, granular and customizable notifications policy and more. But I’m more keen on tweaking the offering to hit significant user registration numbers, acting on what I see to be working better or worse. Adding new features is a constant pull for me, one I want to resist a bit for now.
Thanks for reading this far, I hope you find this service useful! Please leave a note if you think anything can be improved or should be changed.
by the author.