All too often we hear about a site going down or suffering problems because they’ve let their public x509 certificate expire. SSL certificates, which are required for HTTPS to work for secure connections using TLS to domains, expire after a number of years. Often, the team or individual who purchased and installed the initial HTTPS certificate is no longer in that role by the time the expiration occurs. If the company hasn’t put in place safeguards, or outsourced their SSL protection to a cloud service, they may not realize the certificate needs to be renewed until it’s already expired.
I tweeted a tip about one way dev teams can help avoid this scenario, which got some traction (more RTs for reach appreciated):
Pro Tip: Part of your automated test suite is one that hits your prod domains and fails if their certs expire in less than 30 days.— Steve "ardalis" Smith (@ardalis) May 7, 2019
Most dev and/or devops teams have automated tests running frequently. Typically these tests only run against the source code of the projects they’re stored with, but there’s nothing to prevent tests from making requests to real world resource, like your company’s public web site. Production tests are similar to health checks and can inform the team when things have gone wrong, or will soon if left unchecked.
It’s quite easy to configure a test that will run through one or more domains and will fail if any of their certificates are either currently invalid or are going to expire soon (say, within 30 days). When that test fails, it will alert the dev team that trouble is coming soon, and they can fix the problem or escalate it to whomever can fix it within the organization.
I wrote this up using my preferred platform of C#/xUnit/.NET Core, but if you have a similar approach using node or something else, please post your code in the comments or make a pull request to my GitHub repo.
Get the Code
You can download or copy/paste the code from its GitHub repository. Be sure to give it a star if you found it helpful.
What Happens When It Expires?
Here is a short list of reasons why you don’t want your certificate to expire: