certi
Certi is a python based SSL Transparency log monitoring tool that helps you keep tracking your issued certificates.
APACHE-2.0 License
Stars
9
Committers
1
Certi
Certi is a python based SSL Transparency log monitoring tool that helps you keep tracking your issued certificates.
What are Certificate logs
Certificate logs are append-only ledgers of certificates. Because they're distributed and independent, anyone can query them to see what certificates have been included and when. Because they're append-only, they are verifiable by Monitors. Organisations and individuals with the technical skills and capacity can run a log.
Thanks to CT, domain owners, browsers, academics, and other interested people can analyse and monitor logs. Theyre able to see which CAs have issued which certificates, when, and for which domains.
Features
- Monitor all your domains for certificate.
- Get alerts in many multiple communication channels thanks to apprise
- Manage your domains using REST API (swagger documentation included).
Components and Frameworks used in Certi
Limitations
Certi is using sslmate search API. The free API account has the following limitations:
- 100 single-hostname queries / hour.
- 10 full-domain queries / hour.
- 75 queries / minute.
- 5 queries / second.
A single-hostname query is a query which returns certificates for a single specific hostname. (The include_subdomains parameter is false.)
A full-domain query is a query which returns certificates for all descendant sub-domains of the queried domain. (The include_subdomains parameter is true.)
Supported Notifications
The section identifies all of the services supported by this library. Check out the wiki for more information on the supported modules here.
Popular Notification Services
The table below identifies the services this tool supports and some example service urls you need to use in order to take advantage of it. Click on any of the services listed below to get more details on how you can configure Apprise to access them.
| Notification Service | Service ID | Default Port | Example Syntax |
|---|---|---|---|
| Apprise API | apprise:// or apprises:// | (TCP) 80 or 443 | apprise://hostname/Token |
| AWS SES | ses:// | (TCP) 443 | ses://user@domain/AccessKeyID/AccessSecretKey/RegionNameses://user@domain/AccessKeyID/AccessSecretKey/RegionName/email1/email2/emailN |
| Boxcar | boxcar:// | (TCP) 443 | boxcar://hostnameboxcar://hostname/@tagboxcar://hostname/device_tokenboxcar://hostname/device_token1/device_token2/device_tokenNboxcar://hostname/@tag/@tag2/device_token |
| Discord | discord:// | (TCP) 443 | discord://webhook_id/webhook_tokendiscord://avatar@webhook_id/webhook_token |
| Emby | emby:// or embys:// | (TCP) 8096 | emby://user@hostname/emby://user:password@hostname |
| Enigma2 | enigma2:// or enigma2s:// | (TCP) 80 or 443 | enigma2://hostname |
| Faast | faast:// | (TCP) 443 | faast://authorizationtoken |
| FCM | fcm:// | (TCP) 443 | fcm://project@apikey/DEVICE_IDfcm://project@apikey/#TOPICfcm://project@apikey/DEVICE_ID1/#topic1/#topic2/DEVICE_ID2/ |
| Flock | flock:// | (TCP) 443 | flock://tokenflock://botname@tokenflock://app_token/u:useridflock://app_token/g:channel_idflock://app_token/u:userid/g:channel_id |
| Gitter | gitter:// | (TCP) 443 | gitter://token/roomgitter://token/room1/room2/roomN |
| Google Chat | gchat:// | (TCP) 443 | gchat://workspace/key/token |
| Gotify | gotify:// or gotifys:// | (TCP) 80 or 443 | gotify://hostname/tokengotifys://hostname/token?priority=high |
| Growl | growl:// | (UDP) 23053 | growl://hostnamegrowl://hostname:portnogrowl://password@hostnamegrowl://password@hostname:portNote: you can also use the get parameter version which can allow the growl request to behave using the older v1.x protocol. An example would look like: growl://hostname?version=1 |
| Home Assistant | hassio:// or hassios:// | (TCP) 8123 or 443 | hassio://hostname/accesstokenhassio://user@hostname/accesstokenhassio://user:password@hostname:port/accesstokenhassio://hostname/optional/path/accesstoken |
| IFTTT | ifttt:// | (TCP) 443 | ifttt://webhooksID/Eventifttt://webhooksID/Event1/Event2/EventNifttt://webhooksID/Event1/?+Key=Valueifttt://webhooksID/Event1/?-Key=value1 |
| Join | join:// | (TCP) 443 | join://apikey/devicejoin://apikey/device1/device2/deviceN/join://apikey/groupjoin://apikey/groupA/groupB/groupNjoin://apikey/DeviceA/groupA/groupN/DeviceN/ |
| KODI | kodi:// or kodis:// | (TCP) 8080 or 443 | kodi://hostnamekodi://user@hostnamekodi://user:password@hostname:port |
| Kumulos | kumulos:// | (TCP) 443 | kumulos://apikey/serverkey |
| LaMetric Time | lametric:// | (TCP) 443 | lametric://apikey@device_ipaddrlametric://apikey@hostname:portlametric://client_id@client_secret |
| Mailgun | mailgun:// | (TCP) 443 | mailgun://user@hostname/apikeymailgun://user@hostname/apikey/emailmailgun://user@hostname/apikey/email1/email2/emailNmailgun://user@hostname/apikey/?name="From%20User" |
| Matrix | matrix:// or matrixs:// | (TCP) 80 or 443 | matrix://hostnamematrix://user@hostnamematrixs://user:pass@hostname:port/#room_aliasmatrixs://user:pass@hostname:port/!room_idmatrixs://user:pass@hostname:port/#room_alias/!room_id/#room2matrixs://token@hostname:port/?webhook=matrixmatrix://user:token@hostname/?webhook=slack&format=markdown |
| Mattermost | mmost:// or mmosts:// | (TCP) 8065 | mmost://hostname/authkeymmost://hostname:80/authkeymmost://user@hostname:80/authkeymmost://hostname/authkey?channel=channelmmosts://hostname/authkeymmosts://user@hostname/authkey |
| Microsoft Teams | msteams:// | (TCP) 443 | msteams://TokenA/TokenB/TokenC/ |
| MQTT | mqtt:// or mqtts:// | (TCP) 1883 or 8883 | mqtt://hostname/topicmqtt://user@hostname/topicmqtts://user:pass@hostname:9883/topic |
| Nextcloud | ncloud:// or nclouds:// | (TCP) 80 or 443 | ncloud://adminuser:pass@host/Usernclouds://adminuser:pass@host/User1/User2/UserN |
| NextcloudTalk | nctalk:// or nctalks:// | (TCP) 80 or 443 | nctalk://user:pass@host/RoomIdnctalks://user:pass@host/RoomId1/RoomId2/RoomIdN |
| Notica | notica:// | (TCP) 443 | notica://Token/ |
| Notifico | notifico:// | (TCP) 443 | notifico://ProjectID/MessageHook/ |
| Office 365 | o365:// | (TCP) 443 | o365://TenantID:AccountEmail/ClientID/ClientSecreto365://TenantID:AccountEmail/ClientID/ClientSecret/TargetEmailo365://TenantID:AccountEmail/ClientID/ClientSecret/TargetEmail1/TargetEmail2/TargetEmailN |
| OneSignal | onesignal:// | (TCP) 443 | onesignal://AppID@APIKey/PlayerIDonesignal://TemplateID:AppID@APIKey/UserIDonesignal://AppID@APIKey/#IncludeSegmentonesignal://AppID@APIKey/Email |
| Opsgenie | opsgenie:// | (TCP) 443 | opsgenie://APIKeyopsgenie://APIKey/UserIDopsgenie://APIKey/#Teamopsgenie://APIKey/*Scheduleopsgenie://APIKey/^Escalation |
| ParsePlatform | parsep:// or parseps:// | (TCP) 80 or 443 | parsep://AppID:MasterKey@Hostnameparseps://AppID:MasterKey@Hostname |
| PopcornNotify | popcorn:// | (TCP) 443 | popcorn://ApiKey/ToPhoneNopopcorn://ApiKey/ToPhoneNo1/ToPhoneNo2/ToPhoneNoN/popcorn://ApiKey/ToEmailpopcorn://ApiKey/ToEmail1/ToEmail2/ToEmailN/popcorn://ApiKey/ToPhoneNo1/ToEmail1/ToPhoneNoN/ToEmailN |
| Prowl | prowl:// | (TCP) 443 | prowl://apikeyprowl://apikey/providerkey |
| PushBullet | pbul:// | (TCP) 443 | pbul://accesstokenpbul://accesstoken/#channelpbul://accesstoken/A_DEVICE_IDpbul://accesstoken/[email protected]pbul://accesstoken/#channel/#channel2/[email protected]/DEVICE |
| Pushjet | pjet:// or pjets:// | (TCP) 80 or 443 | pjet://hostname/secretpjet://hostname:port/secretpjets://secret@hostname/secretpjets://hostname:port/secret |
| Push (Techulus) | push:// | (TCP) 443 | push://apikey/ |
| Pushed | pushed:// | (TCP) 443 | pushed://appkey/appsecret/pushed://appkey/appsecret/#ChannelAliaspushed://appkey/appsecret/#ChannelAlias1/#ChannelAlias2/#ChannelAliasNpushed://appkey/appsecret/@UserPushedIDpushed://appkey/appsecret/@UserPushedID1/@UserPushedID2/@UserPushedIDN |
| Pushover | pover:// | (TCP) 443 | pover://user@tokenpover://user@token/DEVICEpover://user@token/DEVICE1/DEVICE2/DEVICENNote: you must specify both your user_id and token |
| PushSafer | psafer:// or psafers:// | (TCP) 80 or 443 | psafer://privatekeypsafers://privatekey/DEVICEpsafer://privatekey/DEVICE1/DEVICE2/DEVICEN |
| reddit:// | (TCP) 443 | reddit://user:password@app_id/app_secret/subredditreddit://user:password@app_id/app_secret/sub1/sub2/subN | |
| Rocket.Chat | rocket:// or rockets:// | (TCP) 80 or 443 | rocket://user:password@hostname/RoomID/Channelrockets://user:password@hostname:443/#Channel1/#Channel1/RoomIDrocket://user:password@hostname/#Channelrocket://webhook@hostnamerockets://webhook@hostname/@User/#Channel |
| Ryver | ryver:// | (TCP) 443 | ryver://Organization/Tokenryver://botname@Organization/Token |
| SendGrid | sendgrid:// | (TCP) 443 | sendgrid://APIToken:FromEmail/sendgrid://APIToken:FromEmail/ToEmailsendgrid://APIToken:FromEmail/ToEmail1/ToEmail2/ToEmailN/ |
| ServerChan | serverchan:// | (TCP) 443 | serverchan://token/ |
| SimplePush | spush:// | (TCP) 443 | spush://apikeyspush://salt:password@apikeyspush://apikey?event=Apprise |
| Slack | slack:// | (TCP) 443 | slack://TokenA/TokenB/TokenC/slack://TokenA/TokenB/TokenC/Channelslack://botname@TokenA/TokenB/TokenC/Channelslack://user@TokenA/TokenB/TokenC/Channel1/Channel2/ChannelN |
| SMTP2Go | smtp2go:// | (TCP) 443 | smtp2go://user@hostname/apikeysmtp2go://user@hostname/apikey/emailsmtp2go://user@hostname/apikey/email1/email2/emailNsmtp2go://user@hostname/apikey/?name="From%20User" |
| Streamlabs | strmlabs:// | (TCP) 443 | strmlabs://AccessToken/strmlabs://AccessToken/?name=name&identifier=identifier&amount=0¤cy=USD |
| SparkPost | sparkpost:// | (TCP) 443 | sparkpost://user@hostname/apikeysparkpost://user@hostname/apikey/emailsparkpost://user@hostname/apikey/email1/email2/emailNsparkpost://user@hostname/apikey/?name="From%20User" |
| Spontit | spontit:// | (TCP) 443 | spontit://UserID@APIKey/spontit://UserID@APIKey/Channelspontit://UserID@APIKey/Channel1/Channel2/ChannelN |
| Syslog | syslog:// | (UDP) 514 (if hostname specified) | syslog://syslog://Facilitysyslog://hostnamesyslog://hostname/Facility |
| Telegram | tgram:// | (TCP) 443 | tgram://bottoken/ChatIDtgram://bottoken/ChatID1/ChatID2/ChatIDN |
| twitter:// | (TCP) 443 | twitter://CKey/CSecret/AKey/ASecrettwitter://user@CKey/CSecret/AKey/ASecrettwitter://CKey/CSecret/AKey/ASecret/User1/User2/User2twitter://CKey/CSecret/AKey/ASecret?mode=tweet | |
| Twist | twist:// | (TCP) 443 | twist://pasword:logintwist://password:login/#channeltwist://password:login/#team:channeltwist://password:login/#team:channel1/channel2/#team3:channel |
| XBMC | xbmc:// or xbmcs:// | (TCP) 8080 or 443 | xbmc://hostnamexbmc://user@hostnamexbmc://user:password@hostname:port |
| XMPP | xmpp:// or xmpps:// | (TCP) 5222 or 5223 | xmpp://user:password@hostnamexmpps://user:password@hostname:port?jid=user@hostname/resourcexmpps://user:password@hostname/target@myhost, target2@myhost/resource |
| Webex Teams (Cisco) | wxteams:// | (TCP) 443 | wxteams://Token |
| Zulip Chat | zulip:// | (TCP) 443 | zulip://botname@Organization/Tokenzulip://botname@Organization/Token/Streamzulip://botname@Organization/Token/Email |
Installation
Certi is a docker based application that can be installed using docker compose:
version: "3.6"
services:
certi:
image: techblog/certi
container_name: certi
restart: always
ports:
- "8081:8081"
environment:
- API_KEY=
- SLEEP_TIME=
- NOTIFIERS=
- LOG_LEVEL=
volumes:
- ./data:/opt/certi/db
Environment
- API_KEY - API key for sslmate search API.
- SLEEP_TIME - Time between scans (Default is 7200, which is 2 hours) - To prevent exceeding the search API limits.
- NOTIFIERS - List of Supported Notifications
- LOG_LEVEL - Optional valuse are: DEBUG (default), INFO, ERROR
Volumes
In order to prevent data loss, it's recomended to mount a volume for the application Database. "/opt/certi/db" is the path inside the container where the sqlite db is located. it will be created automatically upon application startup.
Ports
Certi has a managment api for the domains and certificates. by default the port is set to 8081.
Managing the application
Certi has a small REST API endpoint created for easy managment. by default the port is set to to 8081. Swagger documentation can be accessed by adding "/docs" to the end of the url [http://docker:8081/docs].
The api have the following endpoints:
- domains/get (HTTP GET)- Get list of all monitored domains.
- domains/add/{DomainName} (HTTP PUT) - Add domain to monitored domains list.
- domains/delete/{DomainId} (HTTP DELETE) - Delete domain from the monitored domains list.
- /domains/active/{DomainId}/{state} (HTTP POST) - Set domain status to Active/InActive.
- /certificates/get (HTTP GET) - Get list off all certicicates that the Certi found.
Badges
Extracted from project README
