mCert
SSL certificate monitoring with Slack/email alerts & Telegram
Updated Jan 15, 2024
6 min read
Beginner
tools
mCert
mCert is a comprehensive SSL certificate monitoring tool that provides proactive alerts for certificate expiration, security issues, and configuration problems. With support for Slack, email, and Telegram notifications, mCert ensures you never miss a certificate renewal deadline.
Overview
SSL certificate management is critical for maintaining secure web services. mCert automates the monitoring process, providing:
- Expiration Monitoring: Track certificate validity periods
- Multi-Channel Alerts: Slack, email, and Telegram notifications
- Security Scanning: Detect weak ciphers and vulnerabilities
- Bulk Monitoring: Monitor hundreds of certificates simultaneously
- Automated Reporting: Generate compliance and status reports
Features
🔍 Certificate Monitoring
- Real-time expiration tracking
- Multiple certificate format support (PEM, DER, PKCS#12)
- Wildcard and SAN certificate support
- Certificate chain validation
📱 Notification Channels
- Slack Integration: Rich notifications with status indicators
- Email Alerts: Detailed reports with certificate details
- Telegram Bot: Instant notifications with inline keyboards
- Webhook Support: Custom integrations via HTTP webhooks
🛡️ Security Analysis
- Cipher strength analysis
- Protocol version detection
- Certificate authority validation
- Vulnerability scanning
Installation
Docker Installation (Recommended)
# Pull the latest image
docker pull harrythedevopsguy/mcert:latest
# Run with configuration
docker run -d \
--name mcert \
-v $(pwd)/config:/app/config \
-v $(pwd)/logs:/app/logs \
harrythedevopsguy/mcert:latest
Python Installation
# Clone repository
git clone https://github.com/HarryTheDevOpsGuy/mCert.git
cd mCert
# Create virtual environment
python -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Install mCert
pip install -e .
Binary Installation
# Download latest release
wget https://github.com/HarryTheDevOpsGuy/mCert/releases/latest/download/mcert-linux-amd64.tar.gz
# Extract and install
tar -xzf mcert-linux-amd64.tar.gz
sudo mv mcert /usr/local/bin/
sudo chmod +x /usr/local/bin/mcert
Configuration
Basic Configuration
Create a mcert.yml configuration file:
# Global settings
global:
check_interval: 3600 # Check every hour
alert_days: [30, 14, 7, 1] # Alert at these days before expiration
timezone: "UTC"
# Certificate monitoring
certificates:
- name: "Production Web Server"
hostname: "example.com"
port: 443
alert_days: [30, 14, 7, 1]
- name: "API Gateway"
hostname: "api.example.com"
port: 443
alert_days: [30, 7, 1]
- name: "Internal Service"
hostname: "internal.example.com"
port: 443
alert_days: [14, 7, 1]
ignore_ssl_errors: true
# Notification channels
notifications:
slack:
enabled: true
webhook_url: "${SLACK_WEBHOOK_URL}"
channel: "#security-alerts"
username: "mCert Bot"
icon_emoji: ":lock:"
email:
enabled: true
smtp_server: "smtp.gmail.com"
smtp_port: 587
username: "${EMAIL_USERNAME}"
password: "${EMAIL_PASSWORD}"
from_address: "mcert@company.com"
to_addresses:
- "security@company.com"
- "devops@company.com"
telegram:
enabled: true
bot_token: "${TELEGRAM_BOT_TOKEN}"
chat_id: "${TELEGRAM_CHAT_ID}"
webhook:
enabled: true
url: "https://your-webhook.com/certificate-alerts"
headers:
Authorization: "Bearer ${WEBHOOK_TOKEN}"
Environment Variables
# Slack Configuration
export SLACK_WEBHOOK_URL="https://hooks.slack.com/services/..."
# Email Configuration
export EMAIL_USERNAME="mcert@company.com"
export EMAIL_PASSWORD="your-app-password"
# Telegram Configuration
export TELEGRAM_BOT_TOKEN="123456789:ABCdefGHIjklMNOpqrsTUVwxyz"
export TELEGRAM_CHAT_ID="-1001234567890"
# Webhook Configuration
export WEBHOOK_TOKEN="your-webhook-token"
Usage
Command Line Interface
# Check all certificates
mcert check
# Check specific certificate
mcert check --hostname example.com --port 443
# Check with custom alert days
mcert check --alert-days 30,14,7,1
# Generate report
mcert report --format html --output certificates-report.html
# Start monitoring daemon
mcert daemon --config mcert.yml
# Test notifications
mcert test-notifications
Python API
from mcert import CertificateMonitor, NotificationManager
# Initialize monitor
monitor = CertificateMonitor(config_file='mcert.yml')
# Check single certificate
cert_info = monitor.check_certificate('example.com', 443)
print(f"Certificate expires: {cert_info.expiry_date}")
# Check all certificates
results = monitor.check_all_certificates()
# Send custom notification
notifier = NotificationManager(config_file='mcert.yml')
notifier.send_alert(
certificate='example.com',
days_remaining=7,
message='Certificate expires in 7 days!'
)
Notification Examples
Slack Notification
{
"text": "🔒 SSL Certificate Alert",
"attachments": [
{
"color": "warning",
"fields": [
{
"title": "Certificate",
"value": "example.com",
"short": true
},
{
"title": "Days Remaining",
"value": "7",
"short": true
},
{
"title": "Expiry Date",
"value": "2024-02-15 10:30:00 UTC",
"short": false
}
]
}
]
}
Email Template
<!DOCTYPE html>
<html>
<head>
<title>SSL Certificate Alert</title>
</head>
<body>
<h2>🔒 SSL Certificate Expiration Alert</h2>
<div style="background-color: #fff3cd; padding: 15px; border-radius: 5px;">
<h3>Certificate Details</h3>
<ul>
<li><strong>Hostname:</strong> example.com</li>
<li><strong>Days Remaining:</strong> 7</li>
<li><strong>Expiry Date:</strong> 2024-02-15 10:30:00 UTC</li>
<li><strong>Issuer:</strong> Let's Encrypt Authority X3</li>
</ul>
</div>
<p>Please renew this certificate as soon as possible to avoid service disruption.</p>
</body>
</html>
Telegram Message
def send_telegram_alert(certificate, days_remaining):
message = f"""
🔒 *SSL Certificate Alert*
*Certificate:* {certificate}
*Days Remaining:* {days_remaining}
*Status:* ⚠️ Expiring Soon
Please renew this certificate to avoid service disruption.
"""
keyboard = [
[{"text": "View Certificate", "url": f"https://www.ssllabs.com/ssltest/analyze.html?d={certificate}"}],
[{"text": "Renew Now", "callback_data": f"renew_{certificate}"}]
]
return {
"text": message,
"parse_mode": "Markdown",
"reply_markup": {"inline_keyboard": keyboard}
}
Advanced Features
Bulk Certificate Import
# Import from CSV
certificates:
- import_from: "certificates.csv"
columns:
name: "Certificate Name"
hostname: "Domain"
port: "Port"
alert_days: "Alert Days"
Custom Health Checks
def custom_health_check(certificate_info):
"""Custom health check function"""
# Check certificate strength
if certificate_info.key_size < 2048:
return False, "Key size too small"
# Check cipher suites
if 'RC4' in certificate_info.cipher_suites:
return False, "Weak cipher detected"
return True, "Certificate is healthy"
Integration with CI/CD
# GitHub Actions example
name: Certificate Check
on:
schedule:
- cron: '0 9 * * *' # Daily at 9 AM
jobs:
check-certificates:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Check SSL Certificates
run: |
mcert check --config mcert.yml
if [ $? -ne 0 ]; then
echo "Certificate issues detected!"
exit 1
fi
Monitoring and Alerting
Prometheus Metrics
mCert exposes Prometheus metrics for monitoring:
# Metrics endpoint
from prometheus_client import Counter, Histogram, Gauge
certificate_checks = Counter('mcert_certificate_checks_total', 'Total certificate checks')
certificate_expiry_days = Gauge('mcert_certificate_expiry_days', 'Days until certificate expiry', ['hostname'])
check_duration = Histogram('mcert_check_duration_seconds', 'Time spent checking certificates')
Grafana Dashboard
{
"dashboard": {
"title": "SSL Certificate Monitoring",
"panels": [
{
"title": "Certificate Expiry Timeline",
"type": "graph",
"targets": [
{
"expr": "mcert_certificate_expiry_days",
"legendFormat": ""
}
]
}
]
}
}
Troubleshooting
Common Issues
Certificate Check Fails
# Debug certificate connection
mcert check --hostname example.com --port 443 --verbose
# Check SSL/TLS version
openssl s_client -connect example.com:443 -tls1_2
# Verify certificate chain
openssl s_client -connect example.com:443 -showcerts
Notification Delivery Issues
# Test Slack webhook
curl -X POST -H 'Content-type: application/json' \
--data '{"text":"Test message"}' \
$SLACK_WEBHOOK_URL
# Test email configuration
mcert test-email --to test@example.com
# Test Telegram bot
mcert test-telegram
Performance Issues
# Optimize configuration
global:
check_interval: 7200 # Reduce check frequency
max_concurrent_checks: 10 # Limit concurrent checks
timeout: 30 # Set connection timeout
API Reference
REST API
# Start API server
mcert api --port 8080
# Check certificates via API
curl http://localhost:8080/api/v1/certificates
# Get specific certificate status
curl http://localhost:8080/api/v1/certificates/example.com
# Trigger manual check
curl -X POST http://localhost:8080/api/v1/check
Webhook Payload
{
"event": "certificate_expiring",
"timestamp": "2024-01-15T10:30:00Z",
"certificate": {
"hostname": "example.com",
"port": 443,
"expiry_date": "2024-02-15T10:30:00Z",
"days_remaining": 7,
"issuer": "Let's Encrypt Authority X3",
"subject": "CN=example.com"
}
}
Contributing
We welcome contributions! Please see our Contributing Guidelines for details.
Development Setup
# Fork and clone repository
git clone https://github.com/your-username/mCert.git
cd mCert
# Create development environment
python -m venv venv
source venv/bin/activate
# Install development dependencies
pip install -r requirements-dev.txt
# Run tests
pytest tests/
# Run linting
flake8 mcert/
black mcert/
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
- Documentation: https://harrythedevopsguy.github.io/docs/tools/mcert/
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Email: HarrytheDevOpsGuy@gmail.com
**Pro Tip**: Set up mCert to run as a systemd service for continuous monitoring. Check our [deployment guide](https://github.com/HarryTheDevOpsGuy/mCert/wiki/Deployment) for detailed instructions.
Related Documentation
More from Tools
Related by Tags
No related documentation found by tags
Related Blog Posts
OpenResty Production Setup: Supercharge with Lua-Based Metrics and Monitoring
Complete guide to deploying production-ready OpenResty with advanced Lua-based metrics collection...
Oct 16, 2024
KEDA on EKS: Complete Guide to Event-Driven Autoscaling with Real-World Examples
Master KEDA implementation on Amazon EKS with comprehensive examples for multiple scaling scenari...
Oct 15, 2024
AIOps: AI-Powered DevOps Automation and Intelligent Operations
Comprehensive guide to implementing AIOps - using AI and machine learning to transform DevOps pra...
Oct 14, 2024
Related Tools & Projects
BG Deployer
Automated blue-green deployment for zero-downtime AWS releases
AWS
Blue-Green
mCert
SSL certificate monitoring with Slack/email alerts & Telegram
SSL
Telegram
mTracker
Real-time Linux user activity monitoring with Slack notifications
Linux
Monitoring
mWatcher
Server health monitoring for CPU, memory, disk with alerting
Health
Alerts
gCrypt
Git-crypt wrapper for secure file encryption & access management
Security
Git-crypt
Interactive Tools
AWS VPC Designer, EKS Cost Calculator, and more utilities
Tools
Calculator
External Resources
Quick Actions
Found this helpful?
Help us improve this documentation by sharing your feedback or suggesting improvements.