Check Website Certificate Changes

TL;DR

Automatically monitor your website’s SSL/TLS certificate to ensure it hasn’t unexpectedly changed. This guide shows you how to use a simple script and cron job to check the certificate authority (CA) regularly and alert you if there’s an issue.

Solution Guide

1. Create a Script to Check the Certificate
• We’ll use openssl, which is usually pre-installed on Linux systems. If not, install it with your package manager (e.g., sudo apt install openssl on Debian/Ubuntu).
• Create a file named check_certificate.sh and add the following script:

  #!/bin/bash
  
  DOMAIN="yourdomain.com"
  CERT_FILE="/path/to/your/certificate.pem" # Replace with your certificate path
  
  CURRENT_CA=$(openssl x509 -in "$CERT_FILE" -noout -issuer)
  PREVIOUS_CA=$(cat /path/to/previous_ca.txt)  # File to store the last known CA
  
  if [ "$CURRENT_CA" != "$PREVIOUS_CA" ]; then
    echo "Certificate authority has changed for $DOMAIN!"
    echo "Old CA: $PREVIOUS_CA" | mail -s "Website Certificate Change Alert - $DOMAIN" [email protected]
    echo "New CA: $CURRENT_CA" | mail -s "Website Certificate Change Alert - $DOMAIN" [email protected]
    echo "$CURRENT_CA" > /path/to/previous_ca.txt # Update the stored CA
  fi
  
  exit 0

• Important: Replace yourdomain.com with your actual domain name, /path/to/your/certificate.pem with the full path to your certificate file (usually in /etc/ssl/certs/), and [email protected] with your email address for alerts.
• Create an empty file called previous_ca.txt at /path/to/previous_ca.txt. This will store the CA from the last check. You can create it using

  touch /path/to/previous_ca.txt

  .

• Make the script executable:

  chmod +x check_certificate.sh

2. Test the Script
• Run the script manually to ensure it works correctly:

  ./check_certificate.sh

  . It won’t send an email on the first run because previous_ca.txt is empty.

• To test the alert, temporarily change your certificate (e.g., by renewing it) and then run the script again. You should receive an email notification. Remember to restore your original certificate after testing!
3. Set up a Cron Job
• Edit your crontab using:

  crontab -e

  . If prompted, choose an editor (nano is usually easiest).

• Add a line to run the script regularly. For example, to run it every day at 3 AM:

  0 3 * * * /path/to/check_certificate.sh

• Save and close the crontab file. The cron job will now run automatically according to your schedule.
4. Troubleshooting
• Email not received: Check your spam folder. Ensure that mail is configured correctly on your server (often requires setting up an SMTP relay). Verify the email address in the script is correct.
• Script errors: Check your system logs for any error messages related to the script or openssl. Make sure the paths to the certificate and previous_ca.txt are accurate.
• Permissions: Ensure the script has execute permissions (chmod +x check_certificate.sh).