GOV.UK Verify has closed
This repository is out of date and has been archived
This is a tool to help find expiring or expired certificates within a directory. Optionally it can send certificate information to Slack or to be saved to a file.
This tool requires Python 3.8 or later.
pip install https://git@github.com/alphagov/expired-cert-finder.git
--help : Show this text
--debug : (bool) Adds extra logging (Default: False)
--slack : (bool) Send results to Slack (Default: False)
--ui=False : (bool) Do not show the progress bar (Default: True)
--save-results : (bool) Save the results to a file (Default: False)
--expired-only : (bool) Only show expired certificates (Default: False)
--expiry-window : (Number) Window for expiring certificates (Default: 30)
--expired-cert-list-filename : (Filename) Where to save list of expiring/expired certificates (Default: expired.txt)
--slack-webhook-url : (URL) This is the webhook url generated by Slack e.g https://hooks.slack.com/services/...
--allowed-list : (Filename) Path for allowed expiring/expired certificates (Default: certificate_allowlist.config
How to scan a local directory for expired certificates
$: expired-cert-finder
Discovering Files: 301
Scanning Expired Certificates |████████████████████████████████| 301/301
./work/test.yml, Cert Checker, EXPIRED: 2021-01-25
Scanning another directory, with the UI turned off.
$: expired-cert-finder --ui=False ./work
./work/test.yml, Cert Checker, EXPIRED: 2021-01-25
There may be certificates that you are aware have expired and therefore don't want the certificate checker to flag. To ignore you these certificates do the following:
Create a new file called certificate_allowlist.config
To add a certificate that you want to ignore, you can either include the path to the certificate if it is a file e.g ./work/test.yml
Or include the base64 encoded string of the certificate e.g LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL......
An example of certificate_allowlist.config
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL......
./work/test.yml
The expired cert checker should pickup certificate_allowlist.config within a directory by default but you can explicitly add it to the command line argument using expired-cert-finder --expired-cert-list-filename=./certificate_allowlist.config
Development dependencies are stored within requirements_dev.txt, you can install them after you have installed the normal requirements.txt.
This can be done using pip install -r requirements.txt then pip install -re requirements_dev.txt
Testing is carried out by the Behave framework which can be executed by using the command behave.
The current set of tests are written as Cucumber Scenarios, which are stored within the features directory.
When the tests are run they create a working directory called ./work.