Check host certificates and get an alert when a certificate is about to expire or has expired.
$ ./certalert -h
usage: certalert [-h] (-i HOSTS | -f FILE) [-d DBFILE] [-g IGNOREFILE] [-k] [-l] [-m] [-p PORTS] [-t THREADS] [-to TIMEOUT] [-v] [-y DAYS]
Check sites and servers for expiring/expired TLS certificates
options:
-h, --help show this help message and exit
-i HOSTS, --ip HOSTS comma-separated list of hostnames, IP addresses or CIDR networks (e.g. localhost,127.0.0.1,fe80::,1.2.3.0/24)
-f FILE, --file FILE file containing host port1,port2,... lines, one line per host (see README)
-d DBFILE, --db DBFILE
-g IGNOREFILE, --ignore IGNOREFILE
File with hosts that should be ignored, one host per line (default: None)
-k, --insecure Disable certificate checks when sending data to splunk. (default: False)
-l, --splunk Send an event to Splunk using the HTTP Event Collector (see splunk.json) (default: False)
-m, --mail Send an email with the results after the scan has finished (see email.json) (default: False)
-p PORTS, --ports PORTS
comma-separated list of ports (default: 443,636,993,995,8443)
-t THREADS, --threads THREADS
set number of threads (default: 5)
-to TIMEOUT, --timeout TIMEOUT
socket timeout (default: 0.5)
-v, --verbose
-y DAYS, --days DAYS days until expiry date (default: 7)
You can pass multiple IP addresses, hostnames, networks and ports by separating them with a comma:
-i 127.0.0.1,127.0.0.2,localhost,127.1.2.0/24 -p 1,2,3,4,5
You can also query IPv6 addresses, and query a mix of IPv6 and IPv4 addresses. The default number of threads is 5, this seems to be more than enough on a LAN.
$ cat examplefile
1.1.1.1
2.2.2.2 22
3.3.3.3 33,333
4.4.4.4 44,444,4444
5.5.5.5/24
localhost
6.6.6.6/28 66,666,6666
anotherhost.localnet
example.net 443
Don't specify /32 as a subnet mask, this will not work.
If you don't specify ports in the file, then the program will use either the default ports or whatever you specify with -p.
The script will store certs that have expired or are about to expire in an sqlite database. The stored data is
date: the time and day of the scanhost: scanned hostport: scanned portcertificate: PEM encoded host certificatefingerprint: SHA256 fingerpring of the certificateexpired: 1 if cert has expired, 0 if not (meaning it will expire soon)expirydate: the 'not after' field of the certificate
You can optionally send the results to Splunk using an HTTP Event Collector. Edit the file splunk.json, add the URL, the token and edit the sourcetype. The token in this repo is a test token for a local docker container, please don't open an issue for this, thanks.
{
"url": "https://your.server.com:8088/services/collector",
"token": "your-token-here",
"sourcetype": "_json"
}Create the file email.json and paste the following content:
{
"username": "[email protected]",
"password": "passwordHere",
"server": "servername",
"port": 25,
"useTLS": "False",
"useSTARTTLS": "True",
"senderMailAddress": "[email protected]",
"recipient": "[email protected], mail2.example.net"
}When using -m/--mail, certalert will now send an email with all results.