Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Tool to find expired or expiring certificates, and optionally send to Slack

License

Notifications You must be signed in to change notification settings

alphagov/expired-cert-finder

Repository files navigation

Expired Cert Finder

GOV.UK Verify has closed

This repository is out of date and has been archived

This is a tool to help find expiring or expired certificates within a directory. Optionally it can send certificate information to Slack or to be saved to a file.

Install

This tool requires Python 3.8 or later. pip install https://git@github.com/alphagov/expired-cert-finder.git

Command line arguments

  --help                       : Show this text
  --debug                      : (bool) Adds extra logging (Default: False)
  --slack                      : (bool) Send results to Slack (Default: False)
  --ui=False                   : (bool) Do not show the progress bar (Default: True)
  --save-results               : (bool) Save the results to a file (Default: False)
  --expired-only               : (bool) Only show expired certificates (Default: False)
  --expiry-window              : (Number) Window for expiring certificates (Default: 30)
  --expired-cert-list-filename : (Filename) Where to save list of expiring/expired certificates (Default: expired.txt) 
  --slack-webhook-url          : (URL) This is the webhook url generated by Slack e.g https://hooks.slack.com/services/...
  --allowed-list               : (Filename) Path for allowed expiring/expired certificates (Default: certificate_allowlist.config

Output

How to scan a local directory for expired certificates

$: expired-cert-finder
Discovering Files: 301
Scanning Expired Certificates |████████████████████████████████| 301/301
./work/test.yml, Cert Checker, EXPIRED: 2021-01-25

Scanning another directory, with the UI turned off.

$: expired-cert-finder --ui=False ./work
./work/test.yml, Cert Checker, EXPIRED: 2021-01-25

Ignoring certificates

There may be certificates that you are aware have expired and therefore don't want the certificate checker to flag. To ignore you these certificates do the following:

Create a new file called certificate_allowlist.config To add a certificate that you want to ignore, you can either include the path to the certificate if it is a file e.g ./work/test.yml Or include the base64 encoded string of the certificate e.g LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL......

An example of certificate_allowlist.config

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL......
./work/test.yml

The expired cert checker should pickup certificate_allowlist.config within a directory by default but you can explicitly add it to the command line argument using expired-cert-finder --expired-cert-list-filename=./certificate_allowlist.config

Developers

Development dependencies are stored within requirements_dev.txt, you can install them after you have installed the normal requirements.txt.

This can be done using pip install -r requirements.txt then pip install -re requirements_dev.txt

Testing

Testing is carried out by the Behave framework which can be executed by using the command behave.

The current set of tests are written as Cucumber Scenarios, which are stored within the features directory.

When the tests are run they create a working directory called ./work.

About

Tool to find expired or expiring certificates, and optionally send to Slack

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published