3.8 KiB
About
certcheckntfy is my rudimentary Rust-way of getting informed by a push message when my LetsEncrypt certificates are about to expire. Of course I could have achieved the same thing with any other (scripting) language but I want to improve my Rust knowledge and getting more familiar with it. I like Rust ;) I have already replaced my greylister (written in C++) and also my vmail backend (written in Javascript/NodeJS) with solutions written in Rust and replacing NodeJS freed up around 75MB RAM and on a System with only 2GB that's not nothing.
I could simply run certbot renew with additional hooks but I have to update the TLSA record at my DNS provider manually as they are not providing any API. That's why I decided against it and went for the notification way only.
Prerequisits
- The Rust compiler installed on your system to build the software
- A working NTFY server, see NTFY Homepage
- You will need the ntfy app on your Android based mobile device. I do not know if something like ntfy is available on iOS.
- Of course you need to subscribe to the topic you choose, see below.
- A Linux based server including systemd but since Rust is available on BSD it should be able get it up and running there too. Windows is not supported, there is Powershell ;)
Install
- checkout and build with
cargo build --release - Copy the executable from
target/release/certcheckntfyto your server(s) - Copy the .service und the .timer file to
/etc/systemd/system(on your server(s) of course) - Adjust the .service and .timer file to your liking
- Enable the timer:
systemctl enable --now cert_check.timer - Check timer:
systemctl --list-timers
On BSD systems where systemd is not available just skip the .timer and .service bs and use cron or whatever is used on your system.
Configuration
The systemd service file shows the environment variables you have to provide where NOTIFY_URL has to be set, the other ones should work out of the box but maybe you have to adopt it if your aren't using Certbot or the date format of your certificates has another format (which I doubt).
- CERT_DATE_FORMAT="%%b%%e %%H:%%M:%%S %%Y GMT" (can be checked like so:
openssl x509 -enddate -noout -in <path to cert file>) - CERT_BASE_PATH=/etc/letsencrypt/live
- CERT_FILE_NAME=cert.pem
- THRESHOLD_DAYS=x (where x is a number greater then zero)
- NOTIFY_URL=$NTFY_URL/TOPIC
Double % is necessary in CERT_DATE_FORMAT because systemd uses % by itself so it needs to be escaped.
If you made changes to the .service or .timer file after activating the timer remember to systemctl daemon-reload
Once LetsEncrypt switches to 45 days lifetime in February 2028 as described here THRESHOLD_DAYS should be decreased to around 10.
Test
To test your settings just execute systemctl start cert_check.service Check your syslog with journalctl -xf while doing so. If none of your certs are due for renewal the program will log something like
Certificate OK for CN=$HOSTNAME$. Expires after $TIMESTAMP$ which is in $x day(s)
On the other hand, if one of your certificates expires in less then $THRESHOLD_DAYS it will log a Certificate Warning instead and it will also log the push notification like so:
Certificate Warning for CN=$HOSTNAME$. Expires after $TIMESTAMP$ which is in $x day(s)
Push notification sent to $NOTIFY_URL$
And if all went well you should receive a nice push message on your Android device in almost no time. Done ;)
Caveat
- I have not tested certcheckntfy on certificates with SubjectAltNames. i.e. certs with multiple CN's. It should work but I do not know...
- The ntfy service should not need a username/password, although this can easily be implemented