search

louislam / uptime-kuma

A fancy self-hosted monitoring tool
https://uptime.kuma.pet
MIT License
55.01k stars 4.95k forks source link

Add SSL Certificate checks for General TCP ports #1079

Open throwabird opened 2 years ago

throwabird commented 2 years ago

⚠️ Please verify that this feature request has NOT been suggested before.

🏷️ Feature Request Type

New Notification, New Monitor

🔖 Feature description

Say you have an application running on a TCP port using an SSL Certificate that will expire eventually. You want to have notifications for the certificate expiry (as is possible with HTTPS currently).

Usecases

IMAP on Port 993

openssl s_client -connect imap.gmail.com:993

SMTP starttls checks on Port 25

openssl s_client -starttls smtp smtp.gmail.com:25

✔️ Solution

I propose Uptime Kuma adds (optional) SSL certificate monitoring for the TCP Port Monitor which might use similar functionality as described above.

❓ Alternatives

No response

📝 Additional Context

Trying to add expiry notifications for my mail server certificate.

alexlehm commented 1 year ago

I would like that as well, I am monitoring my gemini server which is ssl/1965 port and it would be nice to check the connect and maybe the cert validity since the server usually used a custom cert where only validity is checked

woj-tek commented 1 year ago

Yes, that would be great. Apart from IMAP mentioned already, XMPP also operates over TCP/SSL so it would help a lot.

There is also STARTTLS, but it's protocol dependent and I think there is general trend toward avoiding STARTTLS and just using DirectTLS (TCP/SSL)

alexlehm commented 1 year ago

STARTTLS is mostly used for SMTP I guess, that is easy to implement for a check but requires a rule for each protocol. Plain TLS connects like SMTPS are much easier

woj-tek commented 1 year ago

I agree that that DirectTLS is easier (simply open encrypted socket) and STARTTLS would require handling for each protocol (the list available here: https://en.wikipedia.org/wiki/Opportunistic_TLS#SSL_ports). From my perspective I'm mostly interested in XMPP (I agree it's not the most popular protocols nowadays) and unfortunately STARTTLS is the most popular mechanism in it (DirectTLS is getting more popular but it's not there yet)

alexlehm commented 1 year ago

It should be easy to write a plugin for that for the monitor (though i have not looked at how plugins work in general, it might be worthwhile to write a few)

CommanderStorm commented 1 year ago

It should be easy to write a plugin for that for the monitor (though i have not looked at how plugins work in general, it might be worthwhile to write a few)

There are multiple proposals in issues. Until now there has been #1787 accepted, but more could follow. This is a feature in the ideas section of the Roadmap. I don't quite know what Louis vision is on this topic, but one plugin is available at https://uptime.kuma.pet/c/plugins.json

Please note that there has been this draft: https://github.com/louislam/uptime-kuma/pull/1626 => This should imo be handled this way

sarfaraz-ecosmob commented 1 year ago

I would like that as well, I am monitoring ssl on custom tcp port

h4knet commented 12 months ago

+1 Would be a nice feature to have !

CommanderStorm commented 12 months ago

@h4knet

Please refrain from posting +1 / requests for updates things on issues, as this makes issue-management harder. Issues are for discussing what needs to be done how by whom. We use 👍🏻 on issues to prioritise work, as always: Pull Requests welcome.

Techssh commented 11 months ago

Yes, I like to check the certificate on port 853 for DNS over TLS as well.

CommanderStorm commented 11 months ago

@Techssh as mentioned above:

Please refrain from posting +1 / requests for updates things on issues, as this makes issue-management harder. Issues are for discussing what needs to be done how by whom. We use 👍🏻 on issues to prioritise work, as always: Pull Requests welcome.

We would be open to such contributions. See our contribution guide and dns.js

kolbma commented 10 months ago

When implementing this, can you please add an option to compare public key of certificate with a stored public key in the monitor configuration.
E.g. via sha256sum of the public key block.

A public key compare is the only possibility to check, that the cert has been requested by the private key owner and not by a 3rd party with a different private key and acting as MITM.

alexlehm commented 10 months ago

When implementing this, can you please add an option to compare public key of certificate with a stored public key in the monitor configuration. E.g. via sha256sum of the public key block.

That would be useful for both HTTPS checks and generic TLS checks

CommanderStorm commented 10 months ago

@kolbma You can add your own CA to the list of trusted CAs via NODE_EXTRA_CA_CERTS=file. What you are requesting is a different feature

emerysteele commented 5 months ago

Would really love this feature. My web/email server seems to have some quirks sometimes where the TLS cert will auto renew but will only be applied to the web server, and not the imap or smtp servers.

If TLS cert could be monitored for other ports, would be great help to catch it before it expires.

windware-ono commented 5 months ago

This feature is very useful in a case like the one mentioned in the above comment where there are many tools that can monitor validity of https certs but when it comes to mail servers, I'll probably have to deploy my own shell script to not miss on expirations not to cause email clients (especially automated ones) borking one day without notice.