Serverless SSL Expiry Monitoring with AWS Lambda

SSL/TLS certificates are the bedrock of secure communication on the internet. They encrypt data, verify server identity, and build user trust. However, despite their critical role, certificate expiry often remains a blind spot for many organizations until it's too late. A sudden expiry can lead to service outages, broken applications, and a significant hit to your reputation. While traditional monitoring tools can track server health, they often fall short when it comes to the nuanced, time-sensitive nature of certificate lifecycles.

This article explores how you can leverage AWS Lambda to build a robust, cost-effective, and scalable serverless solution for monitoring your SSL/TLS certificates. We'll dive into the practicalities, including code examples and potential pitfalls, giving you the knowledge to roll your own system.

The Problem: Silent Certificate Expiry

Imagine this: it’s 3 AM, and your on-call engineer gets paged. Your main customer-facing application is down, showing "NET::ERR_CERT_DATE_INVALID" errors in browsers. Digging deeper, you find that a certificate on an obscure load balancer or an internal API endpoint expired silently. No alerts, no warnings. The fix might be quick, but the downtime and reputational damage are not.

This scenario is far too common. Certificates expire for many reasons: forgotten renewals, changes in ownership, or simply a lack of centralized visibility. Traditional infrastructure monitoring often focuses on CPU, memory, and network I/O, not the expiry date embedded within a TLS handshake. While domain registrars might send renewal notices for the domain itself, they rarely track the actual SSL certificate on your servers.

Why Serverless for SSL Monitoring?

AWS Lambda, a serverless compute service, is an excellent fit for this kind of monitoring task. Here's why:

Cost-Effectiveness: You only pay for the compute time your function actually uses. For a task that runs infrequently (e.g., once a day or once a week), this is significantly cheaper than provisioning and maintaining a dedicated EC2 instance.
Scalability: Lambda automatically scales to handle the number of invocations. Whether you're checking 10 certificates or 10,000, Lambda can manage the workload without you needing to provision more servers.
Simplicity: You focus purely on the certificate checking logic. AWS handles all the underlying infrastructure, operating system patching, and scaling.
Event-Driven Nature: Lambda integrates seamlessly with Amazon EventBridge (formerly CloudWatch Events), allowing you to schedule your certificate checks using cron-like expressions. This makes it perfect for recurring, automated tasks.
Integration: Lambda plays well with other AWS services like SNS (for email/SMS), SES (for custom emails), and Secrets Manager (for storing webhook URLs), making notification setup straightforward.

Core Components of a Lambda-based Solution

To build our serverless certificate monitoring system, we'll primarily use these AWS services:

AWS Lambda: The compute engine that runs our Python code to check certificate expiry.
Amazon EventBridge: To schedule our Lambda function to run at regular intervals (e.g., daily).
AWS Secrets Manager (or SSM Parameter Store): To securely store sensitive information, such as Slack webhook URLs or API keys for notification services.
Amazon SNS or direct webhook calls: For sending notifications when a certificate is nearing expiry.

Building Your Lambda Function: The Certificate Check Logic

Let's get practical. We'll use Python for our Lambda function, as it has excellent built-in capabilities for network operations and certificate parsing.

The core idea is to connect to a host and port, perform a TLS handshake, retrieve the certificate, and then extract its expiry date.

```python import ssl import socket import datetime import os import json import urllib.request

def get_certificate_expiry(hostname, port=443): """ Connects to a host, retrieves its SSL/TLS certificate, and returns the expiry date. """ try: context = ssl.create_default_context() # For SNI (Server Name Indication), specify the hostname with socket.create_connection((hostname, port), timeout=5) as sock: with context.wrap_socket(sock, server_hostname=hostname) as ssock: cert = ssock.getpeercert() # 'notAfter' is the expiry date in a specific format (e.g., 'Nov 15 12:00:00 2024 GMT') expiry_str = cert['notAfter'] # Parse the string into a datetime object # Python's strptime doesn't handle timezone abbreviations like 'GMT' directly, # so we simplify and assume UTC for comparison. expiry_date = datetime.datetime.strptime(expiry_str, '%b %d %H:%M:%S %Y %Z') return expiry_date except ssl.SSLError as e: print(f"SSL Error for {hostname}:{port}: {e}") return None except socket.timeout: print(f"Connection timeout for {hostname}:{port}") return None except Exception as e: print(f"General error for {hostname}:{port}: {e}") return None

def send_slack_notification(webhook_url, message): """ Sends a message to a Slack channel via a webhook. """ slack_data = {'text': message} headers = {'Content-Type': 'application/json'} req = urllib.request.Request(webhook_url, data=json.dumps(slack_data).encode('utf-8'), headers=headers) try: with urllib.request.urlopen(req) as response: response_body = response.read().decode('utf-8') print(f"Slack notification sent. Response: {response_body}") except Exception as e: print(f"Failed to send Slack notification: {e}")

def lambda_handler(event, context): # Configuration # You might store this in an S3 bucket, DynamoDB, or environment variables # For simplicity, let's use environment variables for a few domains TARGET_DOMAINS_STR = os.environ.get('TARGET_DOMAINS', 'example.com:443,anothersite.org:443') WARNING_THRESHOLD_DAYS = int(os.environ.get('WARNING_THRESHOLD_DAYS', '30')) SLACK_WEBHOOK_URL = os.environ.get('SLACK_WEBHOOK_URL') # Retrieve from Secrets Manager in production

if not SLACK_WEBHOOK_URL:
    print("SLACK_WEBHOOK_URL not configured. Skipping notifications.")

target_domains = [tuple(d.split(':')) for d in TARGET_DOMAINS_STR.split(',')]

alerts = []
now = datetime.datetime.utcnow()

for hostname, port_str in target_domains:
    port = int(port_str)
    print(f"Checking certificate for {hostname}:{port}...")
    expiry = get_certificate_expiry(hostname, port)

    if expiry:
        time_left = expiry - now
        days_left = time_left.days
        print(f"  {hostname} expires in {days_left} days.")

        if days_left <= WARNING_THRESHOLD_DAYS:
            alert_message = (f":warning: SSL Certificate for *{hostname}* on port *{port}* "
                             f"expires in *{days_left} days* on {expiry.strftime('%Y-%m-%d %H:%M UTC')}.")
            alerts.append(alert_message)
    else:
        alerts.append(f":x: Failed to retrieve certificate for *{hostname}* on port *{port}*. Check logs.")

if alerts and SLACK_WEBHOOK_URL:
    full_message = "Certfly Lambda Alert Summary:\n" + "\n".join(alerts)
    send_slack_notification(SLACK_WEBHOOK_URL, full_message

Serverless SSL Expiry Monitoring with AWS Lambda

Serverless SSL Expiry Monitoring with AWS Lambda

The Problem: Silent Certificate Expiry

Why Serverless for SSL Monitoring?

Core Components of a Lambda-based Solution

Building Your Lambda Function: The Certificate Check Logic

Related articles

Watch your TLS certs so you don't have to.