Skip to main content

Automatic check for expiring SSL certificates

A quick solution to periodically check your certificates for expiring and get a notification via mail before they expire. I have multiple PKI’s and found it really useful to have such a automatic service.

The tool ssl-cert-check, which is part of the Debian package repository, does a quite good job finding expiring certificates but unfortunately doesn’t support analyzing directories. Luckily the author of this tool implemented this feature in the latest version available on GitHub.

First we have to clone the repo to have the latest version available on our system.

I created a small shell script which does the actually check and send a mail if a certificate will expire in <=60 Days. Gist also available here.

I placed the script within the ssl-cert-check folder. The script will check all certificates in the subfolder certs. Here is the folder structure:

To include certificates, we just need to create a symlink in the certs folder. I added links to my easy-rsa PKI’s to include them.

For a periodically check, we finally need to add the script to the cron daemon. For a daily check:

Disable serial console in Debian

Especially for not physically owned servers, like virtual servers, it makes sense to not only set the focus on SSH security. For virtual servers it’s quite common to have a virtual serial console which is accessible over your server control panel.

If someone grands access to this server control panel, the user has direct access to the system logon. Login control, like limit access to public key authentication, is part of SSH and is not active here. Because you shouldn’t trust the sever provider in terms of perfectly implemented security, it’s a good practice to also take this channel into account.

One solution is to completely disable the serial console after system boot. This makes a booted system inaccessible over the serial console. The following configuration is working on Debian with systemd.

Modify /etc/systemd/logind.conf and set ReserveVT and NAutoVTs to 0. This controls how many virtual terminals are reserved or allocated by the system.

Disable tty1.

The status of the disabled service should be like this.

After rebooting the system, you can still see the system boot including GRUB (boot loader) and also interrupt the system boot procedure. But after a complete system boot, the running system is inaccessible from the serial console.

Debian mdadm post boot assemble

After the upgrade to Debian Stretch, I had problems getting my raid volume with external bitmap assembled. After assembling, definition in /etc/mdadm/mdadm.conf, the array was created without the configured eternal bitmap.

Reason for this “Issue” was the fact that the mdadm assemble is done in the initramfs during the boot. In this stage, the volume for the external bitmap doesn’t exist yet.

To solve this, we need to disable the mdadm assemble during boot. The following steps describe how to configure mdadm to assemble an array after booting the kernel and support an external bitmap.

Add an external bitmap to the array.

Disable the initramfs mdadm hook.

Update the initramfs.

To check the current initramfs you can do the following.

After reboot you should find the assembled array with enabled external bitmap.