Continuous Integration
Continuous Integration

Using Jenkins to Monitor SSL Certificates


There are great tools like Let’s Encrypt to generate free HTTPS certificates for your websites, but sometimes certbot renewals fail. Everyone should have some level of monitoring to ensure that your site has a valid SSL. It’s always embarrassing to go to a site you run and find the dreaded blocked page.

Option 1 : Statuscake

If you are looking for a no-hassle hosted solution, Statuscake is set up to monitor server uptime and SSL certificates of public servers. The free version limits you to a single SSL certificate check and the next tier lets you check 50 domains for $25/month. It has built-in email or slack notifications.

However, if you have a Jenkins instance and want to check as many domains as you like or want to check servers that are not public (behind a firewall), then you have two options:

Option 2 : Jenkins Job using curl

A very simple way to check a site’s certificate is to call curl. Most Linux systems have curl already loaded, and it will return an exit code of 0 if everything is ok.

In the Jenkins job, add a build step with Execute Script

curl https://expired.badssl.com

However, when things go wrong, curl is not very helpful to point you to the issue.

Option 3 : Jenkins Job using checkssl

However, if you are looking for a more detailed SSL check that returns a better report of why the SSL check failed, look at the CLI tool checkssl.

https://www.checkssl.org

checkssl -days=5 expired.badssl.com google.com reddit.com

Creating the Jenkins Job

  1. Create a New Item
  2. Enter a task name (ideally use a name without spaces like check-website)
  3. Select Freestyle project
  4. Click Ok
  5. Enter a Description if desired
  6. Check Discard old builds and set Max # of builds to keep to 7
  7. Check Build periodically and set it to @daily
  8. Click Add a build step with Execute Shell
stat checkssl > /dev/null || wget -O checkssl https://get.checkcli.com/checkssl/linux/64 && chmod +x checkssl

./checkssl -days=7 steve.zazeski.com checkssl.org

Test URLs

If you want to test out what happens with the various monitoring solutions above, just try them with one of these:

  • https://www.checkcli.com – should pass
  • https://expired.badssl.com – should fail
  • https://self-signed.badssl.com – should fail
  • https://wrong.host.badssl.com – should fail

openanalytics 3481 views

I'm a 34 year old UIUC Computer Engineer building mobile apps, websites and hardware integrations with an interest in 3D printing, biotechnology and Arduinos.


View Comments

Leave a Reply to Steve Zazeski
Cancel Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.