Doomsday: x509 Certificate Expiration Monitoring

As of this writing, it is 2019, and the tech-world has generally accepted TLS as a “good thing.” So let’s put certificates on our servers to make sure we’re talking to the right servers, and let’s also put certificates on our clients to make sure that the right clients are talking to the right servers.

Done.

Now we’ve got 1000 certificates securing our datacenter. Neat. But they’re all going to expire someday, and when they do, our servers and clients won’t want to talk to each other anymore, and then our things are all broken. Not so neat.

I’m bad at remembering birthdays, so I made an app that remembers all my certificate’s birthdays for me. It’s called Doomsday, because that’s what happens when you let your certificates expire.

How Does It Work?

All your certificates have to be stored somewhere. Maybe you put them in Vault, or maybe Credhub. Maybe Pivotal Ops Manager takes care of them for you. Doomsday can scrape these storage backends for certificates, ingest the information it needs to keep track of certificate expiry, and then put that information in a format that makes it easy for you to see when you have to renew your certificates by.

Also, the application is stateless, so you can put it on your Cloud Foundry. We made a BOSH release too, if that’s your thing. Check out the cool stuff in our GitHub org at:

https://github.com/doomsday-project.

What Does It Look Like?

And hey, did you know that the server binary is also a CLI? Well it is. We like to put it in our .bashrcs so that we are made aware of what is expiring soon whenever we log in. If there’s nothing to worry about, it only says that there are no certificates expiring soon.

But many people do not commonly use terminals. Many other people use terminals all the time but also like GUIs and that’s okay! What I mean is that there’s also a web UI you can put on a board in your NOC to scare small children.

How Do I Use It?

Links!

Cloud Foundry? Follow this README!

BOSH Release? We’ve got a repository for you HERE!

As far as configuration goes, you can find an example annotated configuration at:

https://github.com/doomsday-project/doomsday/blob/master/docs/ddayconfig.yml.

I’m aware that there’s a fair bit of text in there. Pending a more human-readable form of documentation, feel free to drop an issue in the repository if you have any questions on what to do.

Bonus Content

Dave Dobmeier and I gave a talk about this piece of software at Cloud Foundry Summit 2019. This is a video of that talk.

If you need help with your cloud journey or going Cloud Native, contact us.

Spread the word

twitter icon facebook icon linkedin icon