Monitoring SSL Certificates with Alibaba Cloud Function Compute

By John Hanley, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

After working with Alibaba Cloud services, you may find that you have dozens or hundreds of services that depend on SSL certificates. This can include Elastic Compute Service (ECS) instances, websites, API Gateway services, Function Compute functions, and CDN endpoints. This article will discuss how to monitor SSL certificates and send emails on the status of your SSL certificates. We will use Function Compute and DirectMail for automation, monitoring and reporting.
This article is an add-on to my series of using Let’s Encrypt SSL Certificates on Alibaba Cloud. These certificates expire after 90 days, therefore, keeping track of certificate expiration dates is very important. However, tracking services that use SSL certificates is mundane, tedious and we often forget about them. In another article, we will develop software that can automatically renew Let’s Encrypt SSL certificates.
The goal of this article is to show you how to do this. The code is not production quality, rather it is education quality. All software that you plan to deploy for production purposes needs to be reviewed and tested for quality and suitability for your requirements.
This article assumes that you have a basic understanding of Alibaba Cloud Function Compute and DirectMail. If not, I have written this article to help you understand these services. The last part of this tutorial shows how to speed up testing and updates using the Alibaba Cloud FCLI command line program.

SSL Monitor Python Code Download

Download the Python code that will be used in this tutorial by clicking on this link: SSL Check — Python 3 (Zip — 10 KB)
Last Update: June 24, 2018
Requirements: Python 3.6 or newer (Python 2 is not supported)
Platforms: Tested on Windows 10 and Function Compute
Note: Antivirus software will complain about this download because it is a zip file with Python source code.

SSL Certificate Status Report

Let’s start by reviewing what this program generates. The following table is generated by this code and emailed to an email address that you specify. The report has 5 columns of information. Each row describes the status for one hostname. Notice that the last line is in yellow. This line includes the error message that the host is unreachable. I included the hostname “bad.neoprime.xyz” to generate this error on purpose.

NeoPrime SSL Certificate Status Report
Sat, 23 Jun 2018 18:24:41 GMT

Image for post
Image for post

The key columns are the “Status” and “Expires”. As long as the status shows OK, all is good. Otherwise a message will be displayed such as “Expired” and “Time to Renew”.

Program Configuration Parameters

During initial testing, run the program from the command line. This software will extract your Alibaba credentials from your credentials file. Make sure that your credentials have rights to call DirectMail. Once you are ready to switch to Function Compute, change the line g_program_mode = PROGRAM_MODE_CMDLINE to g_program_mode = PROGRAM_MODE_ACS_FUNC

Configure the hostnames that you want to monitor. In this example, we are monitoring four hostnames.

Configure the report subject and send to email address.

Configure the Alibaba Cloud DirectMail account parameters. This example uses Singapore for the region.

Retrieving an SSL Certificate from an Internet Host

This is the function that returns an SSL certificate from an Internet host. This SSL certificate contains information about the certificate such as the domain name, and expiration date.

Checking an SSL Certificate

This function loops through each hostname and checks the SSL certificate for its expiration date (notAfter). This function also extracts other information from the SSL certificate such as the Issuer and Subject Alt Names (SAN). For each hostname, a row is added to the HTML table with “add_row()”. This function returns the HTML body that we have built. This HTML body will be part of the email message that is sent.

Complete Example

Creating the Function

The following screenshot shows the parameters to set for your function. The second screenshot shows the parameters to set for the “Time Trigger” as this function will be call periodically. I set the Time Trigger to once per day at 8 AM PST (16:00 GMT).

Image for post
Image for post
Image for post
Image for post

Function Compute Authorization

Function Compute requires permission to send email using DirectMail. There are two methods to do this. Hard code your credentials in the source code (very bad idea) or use RAM (Resource Access Manager) to create a “role” that you assign to your Function Compute service (very good idea).
Steps to create an RAM role for Function Compute:

  1. Login to the Alibaba Console
  2. Go to Resource Access Manager
  3. Click on Roles
  4. Click Create Role button
  5. Select Service Role
  6. Select FC Function Compute
  7. Enter a role name and description
  8. Click Create

This role is created but no permissions have been granted to the role.
Steps to grant permissions (authorize) to a role:

  1. Click Authorize button
  2. Click Edit Authorization Policy button
  3. In the Search Keywords box enter the word “Direct”
  4. Select AliyunDirectMailFullAccess
  5. Click the right arrow button to copy the policy to the right side
  6. Click OK

An important concept with Function Compute and RAM Roles, is that roles are assigned to Function Compute Services. All functions under a service inherit this role. This means that if you have a Function Compute service with several functions, the RAM Role will need the sum of the required permissions for each functions. If you need tighter security, create separate services based upon role permissions.
The RAM Policy will create a JSON document that describes the granted permissions. In this case the role is granting all actions that start with dm (Action: dm:) on all resources (Resource: ).

An often overlooked component of assigning a RAM Role to a service is that the service requires permissions to assume that role. A RAM Role has two components, the STS (Security Token Service) permissions to assume a role and the role permissions.
This JSON describes the permissions that the Function Compute service itself has to assume a role via the AssumeRole action. Notice the service name “fc.aliyncs.com” and the Action “sts:AssumeRole”.

Function Compute Debugging

Manually invoke your function in the Alibaba Function Compute Console. If you see the following type of error, then you forgot to assign a RAM Role with DirectMail permissions to your service.

Automatic Updates with FCLI

Let’s now see how we can speed up testing and updates using the Alibaba Cloud FCLI command line program.
The Function Compute example consists of several files. Rather than going to the Alibaba Console and uploading the code changes, I like to use the FCLI command line program to update my Function Compute functions from the command line. The following is the Windows Cmd Prompt batch script that I use.
This command creates a new package called index.zip and adds the source files. Then using fcli.exe the package is uploaded to Function Compute. Very easy and straightforward. Another example of good DevOps — remove as many manual steps as possible.

Creating the function with FCLI

This command with create and upload the code in one step. You will need to manually create the Time Trigger for the function in the Alibaba Console. This example uses the service name “ssl” and the function name “ssl_check”.

Remote Execution with FCLI

This command “invokes” the function remotely. This is a convenient method for testing.

Create Time Trigger with FCLI

This command creates a time trigger for Function Compute with FCLI. There are two components: the command and the yaml configuration file.

Additional Ideas

You could change the Time Trigger to invoke this function more often such as every 15 minutes. Then change the source code parameter g_only_send_notices = True to only receive an email if there is a problem. This would be a service check feature that can report to you if any of the HTTPS services are failing.
Another idea is to create multiple functions in different regions around the world to detect problems that regional customers might experience.
You could even add code to reboot an ECS instance that was not responding.
Do not specify too many hostnames to check. Function Compute has a max time limit of 300 seconds. This will limit the function to about 10 hostnames, allowing for failure timeouts of 30 seconds. If you reduce the failure timeout then you can process more hostnames with each function. You can also create multiple functions in Function Compute for processing many hostnames. If you do not retry failures, then the limit is around 100 hostnames per function. The Alibaba Console has an "Invoke" button to manually invoke a function. Near the bottom of the console window will be stats on how long the function executed. This can help you adjust the number of hosts per function.

Reference:

https://www.alibabacloud.com/blog/monitoring-ssl-certificates-with-alibaba-cloud-function-compute_593791?spm=a2c41.11747639.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store