certificate diligence,
without the dashboard.
sslcheck reads any tls handshake and tells you what's actually on the wire — issuer, sans, expiry window, chain depth. one host or fifty. exit code 1 if anything's critical, so cron and ci can decide for themselves.
npm i -g @v0idd0/sslcheck
three buckets, one exit code.
cron doesn't read narratives. it reads exit codes. sslcheck collapses ten tls properties into one severity per host, so your monitor stays one line of jq.
scan one host
port defaults to 443. issuer, sans, expiry, key, chain depth — all in eight lines.
fleet of domains
one process, sequential handshakes. exit 1 if any single one's critical.
json for monitors
full chain, fingerprints, cipher, leaf summary. pipe to jq, route to alertmanager.
override sni
useful for shared infra where the cert depends on which name you ask for.
three places it earns its keep.
npm
$ npm i -g @v0idd0/sslcheck
node 14+ on linux / macos / windows. zero runtime deps — only node's built-in tls module.
cron
$ 0 8 * * * sslcheck \
voiddo.com api.voiddo.com \
--json | jq -e \
'[.[] | select(.leaf.days_until_expiry < 14)] | length == 0' \
|| alert-ops "tls cert nearing expiry"
daily expiry watcher. silent on healthy days, pages on the day a cert hits the 14-day rail.
ci step
$ npx -y @v0idd0/sslcheck \
$STAGING_DOMAIN \
$PROD_DOMAIN
no install needed. exit code 1 fails the deploy if either env is serving a degraded chain.
a let's encrypt renewal hook had been silently failing for nine days. the cert kept working — until it didn't, at 03:14 utc, on a friday. this script is what we wish we'd had cron-running in week one.
no telemetry. no signup. no “upgrade for the enterprise rule pack.” mit forever, even if vøiddo dies tomorrow — the source is public and the npm package is yours to fork.