Checking SSL/TLS endpoints with Eventline

Published April 4, 2022 Updated July 7, 2022

Updated for the open source version of Eventline.

Introduction

Configuring SSL/TLS servers has never been easy, and one always has to worry about an unexpected configuration change which will cause the dreaded “Not Secure” annotation, usually associated with a cryptic error message.

Having automated tests to regularly make sure that your website is still accessible using HTTPS helps a lot when trying to avoid this kind of issue.

Of course it means having some kind of script, a place to run it, a way to collect results and be notified if something goes wrong… In this article, we will demonstrate how Eventline can be used to run these tests.

We will assume that we have some knowledge about the way jobs are deployed on Eventline. Feel free to refer to our tutorial for more information.

Script

Let us start with a small script named check-tls-endpoint.sh whose job is to check a single endpoint:

#!/bin/sh

set -eu
set -o pipefail

if [ $# -lt 2 ]; then
  echo "Usage: $0 <host> <port>" >&2
  exit 1
fi

host=$1
port=$2

echo 'Q' | openssl s_client -host "$host" -port "$port" -verify_return_error

We call the OpenSSL s_client subcommand to connect to the host and port passed as parameters. The -verify_return_error option forces openssl to return a non-zero exit status code if verification fails. Note that we have to write a single character, Q, to the standard input of OpenSSL to force it to quit right after the SSL connection has been established. See the man page of s_client for more information.

Job

We can then write the job in a file named check-tls-endpoints.yaml. Make sure to write both the script and the job file in the same directory.

---
name: "check-tls-endpoints"
trigger:
  event: "time/tick"
  periodic:
    periodic: 600
runtime:
  name: "docker"
  parameters:
    image: "alpine:latest"
steps:
  - label: "install dependencies"
    code: |
      apk add openssl
  - label: "check web endpoint"
    script:
      path: "check-tls-endpoint.sh"
      arguments: ["www.example.com", "443"]
  - label: "check mail endpoint"
    script:
      path: "check-tls-endpoint.sh"
      arguments: ["imap.example.com", "993"]
  - label: "check irc endpoint"
    script:
      path: "check-tls-endpoint.sh"
      arguments: ["irc.example.com", "6697"]

The job is to be executed every 10 minutes.

We run our job in Docker for convenience (that, and we need an excuse to show how to use this runner!). We could also simply use the local runner as long as OpenSSL is installed on the host machine.

First we install OpenSSL, then we call our script for each endpoint that need to be checked.

If one of the check fails, the job will also fail. If you configured an email address for notifications in the configuration of the Eventline project, you will be notified as soon as it happens.

Testing everything

At this point, your job is operational. You can use Evcli and its deploy-job command to deploy it.

If everything went right, the job is visible on the web interface, and will be executed on a regular basis.

Going further

We could improve this job several ways:

We could check for additional information such as the expiration date of the certificate, and fail when expiration is near.
We could also check for more than just SSL/TLS support and try to connect to the service running.

Do you have any use cases in mind ? We would love to hear about it!