Continuous Integration
Continuous Integration

Using Jenkins to Monitor SSL Certificates


There are great tools like Let’s Encrypt to generate free HTTPS certificates for your websites, but sometimes certbot renewals fail. Everyone should have some level of monitoring to ensure that your site has a valid SSL. It’s always embarrassing to go to a site you run and find the dreaded blocked page.

If you are looking for a no-hassle hosted solution, Statuscake is set up to monitor server uptime and SSL certificates of public servers. The free version limits you to a single SSL certificate check and the next tier lets you check 50 domains for $25/month. It has built-in email or slack notifications.

However, if you have a Jenkins instance and want to check as many domains as you like or want to check servers that are not public (behind a firewall), then you have two options:

Jenkins Job using curl

A very simple way to check a site’s certificate is to call curl. Most Linux systems have curl already loaded, and it will return an exit code of 0 if everything is ok.

In the Jenkins job, add a build step with Execute Script

curl https://expired.checkssl.org

Jenkins Job using checkssl

However if you are looking for a more detailed SSL check that returns better report of why the SSL check failed, look at the cli tool checkssl.

https://www.checkssl.org

> checkssl -days=7 steve.zazeski.com
steve.zazeski.com
openresty
1) steve.zazeski.com expires on 2021-03-07 2:29PM Sun (42.9 days)
CA-2) R3 expires on 2021-09-29 7:21PM Wed (249.1 days)
CA-3) DST Root CA X3 expires on 2021-09-30 2:01PM Thu (249.8 days)
[PASS] https://steve.zazeski.com

Creating the Jenkins Job

  1. Create a New Item
  2. Enter a task name (ideally use a name without spaces like check-website)
  3. Select Freestyle project
  4. Click Ok
  5. Enter a Description if desired
  6. Check Discard old builds and set Max # of builds to keep to 7
  7. Check Build periodically and set it to @daily
  8. Click Add a build step with Execute Shell
stat checkssl > /dev/null || wget -O checkssl https://get.checkcli.com/checkssl/linux/64 && chmod +x checkssl

./checkssl -days=7 steve.zazeski.com checkssl.org

Test URLs

If you want to test out what happens with the various monitoring solutions above, just try them with one of these:


I'm a 32 year old UIUC Computer Engineer building mobile apps, websites and hardware integrations with an interest in 3D printing, biotechnology and Arduinos.

View Comments
There are currently no comments.

This site uses Akismet to reduce spam. Learn how your comment data is processed.