When you work in IT, numerous little things could or should be automated. One of those is the monitoring of expiring SSL certificates. Quite often, the process of monitoring for SSL certificates is calendar-based. When someone orders a new certificate, they mark the expiration date in the group IT calendar and set it to notify a week prior.
Nothing wrong with this approach, but it’s also awfully clumsy and error-prone. Thus, I was happy to see that Azure Application Insights now has the capability to do just this: monitor for expiring SSL certificates using a Standard Test!
How does it work?
Whenever you load a web page via HTTPS, you can see when the SSL certificate being used will expire. For this site, it will expire in March 2022:
The logic is simple: poll a given HTTPS-endpoint frequently, and alert when the Expires on date is close. And then refresh the certificate. You can build a custom tool for this in a few hours, but rarely do I see anyone do this – they resort to using a note in the calendar because it’s easier and requires zero support.
With a Standard Test, Azure Application Insights now allows for exactly this: ping a website, and trigger an event when the certificate is about to expire.
Let’s see how it works by building a monitoring for my website.
I need a fresh instance of Application Insights, so I’ll provision a new Resource Group first using Azure CLI:
az group create --name "ssl-monitor" --location westeurope
To provision a new Application Insights instance, we need the extension for that as it is not loaded by default. The command for this is
az extension add -n application-insights
Next, we’ll provision the new Application Insights instance and place it in our new Resource Group called
az monitor app-insights component create --app sslmonitor --location westeurope --kind web -g ssl-monitor --application-type web
Now we have a fresh Application Insights instance, and all we have to do is to configure our test.
Configuring the test
Traditionally, tests in Application Insights were either classic (simple) tests used for pinging a website to find a string on the page or more complex tests (often used for load testing) you authored using Visual Studio. The latter is now more or less legacy, and the former can still be used.
A third type is now available, called Standard Test and it’s in preview. You can find this under Application Insights > Availability:
I created a new Standard Test with the following settings:
I chose not to parse anything beyond the SSL certificate validity; the check occurs every 15 minutes. I think it’s still way too often, but that’s the most extended interval it allows. I’m getting a notification 30 days before the SSL certificate expires on my site. The other options are 1, 7, 30, 90, or 365 days in advance.
Lastly, I need to configure the alert. This is a bit hidden, but you can access the specific alert once you’ve defined the Standard Test and clicked the three dots > Open Rules (Alerts) Page.
From here, you can click the default alert (that was created with the test) and define the action. I just created a new action to email me, but you could also have it run an Automation Runbook, execute an Azure Function, call a Logic App, a Webhook, or a ticketing system.
It’s easiest to test with plain old email. I reconfigured my Standard Test to fail if the SSL certificate expires in the next 365 days. This is how the alert then looks like as an email:
Viewing the alert via Application Insights in Azure Portal, it reveals more details:
It works well. I then reconfigured my Standard Test to react if it’s 30 days or less before the SSL certificate expiration.
How much does it cost, then? Well, Application Insights have always been tough to predict, as cost occurs via data ingestion (which is now minimal) and multi-step web tests (of which there are zero).
During the preview, Standard Tests are free. Once the capability becomes generally available, pricing will be revealed.
[ Update Feb 17, 2023: Pricing is now available, as Standard Tests are no longer in preview. The price is €0.0006 per test execution. ]