The scalable way (up to thousands of certificates) is https://sslboard.com. Give it one apex domain, it will find all your in-use certificates, then set alerts (email or webhook). Fully external monitoring and inventory.
Looks like it relies on certificate transparency logs. That means that it won’t be monitor endpoints using wildcard certs. Best thing it could do would be to alert when a wildcard cert is expiring without a renewed cert having been issued.
Is that enough though? You may have wildcards on domains that are not even on a public DNS and you may forget to replace it "somewhere". For that reason it is better to either dump list of domains from your local DNS or have e.g. zabbix or another agent on every host machine checking that file for you.
That's exactly my point. Is that while this service sounds quite useful for many common cases, it's going to fail in cases where there's not a 1-to-1 certificate-to-server mapping. Even outside of wildcards, you have to account for cases where the cert might be installed on N number of load balancers.
If you're using a cert on multiple IPs, or IPv4+v6, SSLBoard will monitor all IPs. It's not foolproof, but it covers most common practices. btw wildcard certs don't have a good reputation (blast radius)...
I'd say that load balancers (one-address-to-N-servers) count as a common practice, but I otherwise agree in that regard.
Regarding wildcard certs, eh. I wouldn't say they have a bad reputation. Sure, greater blast radius. But sometimes it can certainly simplify things to use one. Your ACME client configuration is easier and your TLS terminator configuration often becomes easier when the terminator would otherwise need to switch based on SNI.
one-address-to-N-servers is perfect if the N servers don't all terminate TLS. If not, it becomes impossible to actually test what certificates are actually served. I've seen this fail before (TLS tests flip/flop between good/bad between checks).
As for wildcard certs, I agree there are use cases where we really need them like dynamic subdomains {customer}.status.com
Can you share how they make ACME client configuration easier?
> Can you share how they make ACME client configuration easier?
It's not a profound difference, but you don't need to add each name to your config. Depending on the team's tooling and processes, that may be inconsequential. But in a setting where config management isn't handled super well, where the TLS terminator is a resource shared by multiple, distinct teams, this is a simplification that can make a difference at the margin.
Think less Cloudflare-scale, and more SMB scale (especially in a Windows shop or recovering Windows shop with a different kind of technical culture than what we might all be implicitly imagining).
I'm working on something that could help: linking sslboard with software that's making issuance and distribution of certs easier, ie. a proper CLM. It's not cloud based for security reasons. In that context, we know your wildcard certs because we issue them, and we could know where they are if we distribute them...
Please get in touch with me (chris@sslboard.com) if you're interested in early access and having a word in the development of the product!
I didn't realize you were behind SSLBoard. I think you should've disclaimed that involvement at the beginning. I see now that it's in your bio, but disclaiming is still on you.
Indeed, SSLBoard is scanning CT logs. You can add/import host names though, to allow monitoring of wildcard certs. Same if you're using ports that are not 443, you have to add these to the list of hostnames that are checked.
It's not as convenient, but it's the best SSLBoard can do...
Unsurprisingly it’s a European article. Europe will tax AI to death like it does with everything it can’t find a way to compete in. And it can’t compete in much…
I dearly remember seeing a PX-8 in the hands of a person (was it by a pool?) and thinking "it would be so nice if work could look like that". It must have been Byte magazine?
I was a kid in France, now I'm working remotely from Bangkok: dreams come true after all.
You could create a browser extension that normal users could install such would warn them of a phishing site or email from that domain. It would be 0 cost since you already have the data.
There are no TLS certs, it's x509 certs :) SSL certificate is still the name used by everybody though. For the protocol, TLS is correct (apart from SSLv3 which is very deprecated).
My sincere condolences to the author. Wishing you strength and peace.
I once saw a man have a heart attack on the beach, less than a 5 minutes drive from a fire-station and rescue team. A helicopter arrived after 45 minutes, and the man was deceased already. That was in Martinique, french Caribbean.
There's a need for an app to let patients track the ambulance. It's been possible for 10+ years, as seen with Uber. It seems existing products have focused on tracking only for the purpose of managing a fleet, missing the focus on patients needs.
Personally I see plenty of problems with a real-time public broadcast of all the addresses a medical event has occurred at, the patients' location in transit, and the hospitals that received those patients.
"Ambulance chaser" is a rather derogatory phrase for a reason.
there's no need to post 7 digits accurate GPS coordinates, the important thing is to have an understanding of how many are how far from where they are going to, ETA, what's the capacity (free units ready or cars yes crew not, or vice versa)
An emergency dispatcher could send a Text message back with a link to a private, case-limited, web page with an ETA + a map + the ambulance location in real time.
See? no "real-time public broadcast of all the addresses a medical event has occurred at".
This would be a great way for thieves to determine which house is likely to have just had everyone leave it in a hurry and not likely to return any time soon.
$1465: That's what a nylon+paper bag from Issey Miyake costs. Then the price of this cut-up sock makes sense: it's not an iPhone accessory, it's a luxury fashion item.
reply