Where The Story Begins
When I talk about SSL Hound, I like to begin with a story. If you’ve ever been responsible for a website, it may sound familiar.
A couple of years ago, I was responsible for a handful of domains and the SSL certificates for them. The certificate on one of our highly trafficked domains expired, so there was a mad rush to get it renewed and installed. After several hours of effort, the issue seemed to be resolved. However, a few subdomains were missed. The scramble began again to update the certificate for the new SAN entries, then reinstall it everywhere. As fate would have it, the certificate was actually installed on an entirely separate domain, incorrectly, which needed to be fixed differently. The irony is that the company the SSL certificates were purchased from did send an email to notify us when the certificate was expiring, but the emails were going to someone in finance.
Getting a notice from the SSL certificate provider is helpful, but if it isn’t going to the right people, then what good is it? Even if you receive the email, it doesn’t tell you all of the places that the certificate is installed and used. It also doesn’t help you monitor or prevent misconfiguration and human error. After looking around, I didn’t find a service that solved this problem and I knew that my problem wasn’t unique. That’s how I came up with SSL Hound.
SSL Hound is a service that monitors endpoints that have SSL certificates. When a certificate is expiring soon, has expired, has changed, or can’t be verified, you get an email notification. The dashboard has a clean, easily scanned list of warnings and information, like the number of checks that have certificates expiring soon and the list of all of the endpoints that are being monitored.
Looking back, this tool would have saved me a lot of trouble. First, I would have gotten email notifications for the 60 and 30 day certificate expiration warning for all of the endpoints that are being monitored (example.com, www.example.com, email.example.com, another.weird.example.com, etc.). Second, if the certificate was misconfigured, I’d get a notification for the check failure, not hear it from my boss, or worse, our customers. Also, from the check details view, I would have been able to see what certificate chain is installed on which domains. I could have download the certificates and verified them locally as needed.