Checking SSL/TLS endpoints with Eventline
Updated for the open source version of Eventline.
Configuring SSL/TLS servers has never been easy, and one always has to worry about an unexpected configuration change which will cause the dreaded “Not Secure” annotation, usually associated with a cryptic error message.
Having automated tests to regularly make sure that your website is still accessible using HTTPS helps a lot when trying to avoid this kind of issue.
Of course it means having some kind of script, a place to run it, a way to collect results and be notified if something goes wrong… In this article, we will demonstrate how Eventline can be used to run these tests.
We will assume that we have some knowledge about the way jobs are deployed on Eventline. Feel free to refer to our tutorial for more information.
Let us start with a small script named
check-tls-endpoint.sh whose job is to
check a single endpoint:
#!/bin/sh set -eu set -o pipefail if [ $# -lt 2 ]; then echo "Usage: $0 <host> <port>" >&2 exit 1 fi host=$1 port=$2 echo 'Q' | openssl s_client -host "$host" -port "$port" -verify_return_error
We call the OpenSSL
s_client subcommand to connect to the host and port
passed as parameters. The
-verify_return_error option forces
return a non-zero exit status code if verification fails. Note that we have to
write a single character,
Q, to the standard input of OpenSSL to force it to
quit right after the SSL connection has been established. See the man
s_client for more information.
We can then write the job in a file named
sure to write both the script and the job file in the same directory.
--- name: "check-tls-endpoints" trigger: event: "time/tick" periodic: periodic: 600 runtime: name: "docker" parameters: image: "alpine:latest" steps: - label: "install dependencies" code: | apk add openssl - label: "check web endpoint" script: path: "check-tls-endpoint.sh" arguments: ["www.example.com", "443"] - label: "check mail endpoint" script: path: "check-tls-endpoint.sh" arguments: ["imap.example.com", "993"] - label: "check irc endpoint" script: path: "check-tls-endpoint.sh" arguments: ["irc.example.com", "6697"]
The job is to be executed every 10 minutes.
We run our job in Docker for convenience (that, and we need an excuse to show how to use this runner!). We could also simply use the local runner as long as OpenSSL is installed on the host machine.
First we install OpenSSL, then we call our script for each endpoint that need to be checked.
If one of the check fails, the job will also fail. If you configured an email address for notifications in the configuration of the Eventline project, you will be notified as soon as it happens.
At this point, your job is operational. You can use
Evcli and its
command to deploy it.
If everything went right, the job is visible on the web interface, and will be executed on a regular basis.
We could improve this job several ways:
- We could check for additional information such as the expiration date of the certificate, and fail when expiration is near.
- We could also check for more than just SSL/TLS support and try to connect to the service running.
Do you have any use cases in mind ? We would love to hear about it!