It looks like in the latest release a change was made specifically on this line, requiring subjectaltname: https://github.com/dyaa/ssl-checker/blob/master/src/index.ts#L57

According to the TLS docs here, that is an optional field in a cert response, so I'm confused on why this module is requiring that for a valid cert, when it isn't required for a cert to be valid.

Requesting that this check be removed: !subjectaltname

daysRemaining is not shown correct remaining days

Domain - santhoshveer.com

{ daysRemaining: 90,
  valid: true,
  validFrom: '2019-09-15T23:29:18.000Z',
  validTo: '2019-12-14T23:29:18.000Z' }

Hi is this possible to Check Multiple Domains?

sslChecker('example1.com','example2.com', 'GET', 443)`

another Suggestion include domain name in JSON output

Hello, can the host be an IP or a CIDR block, and how can it handle common name mismatch?

I was testing this library with the following use case:

• ERR_CERT_REVOKED

I was expecting the result of this test to be invalid due to the error ERR_CERT_REVOKED active on the certificate but this is what I got:

{
    "daysRemaining": 352,
    "valid": true,
    "validFrom": "2021-10-27T00:00:00.000Z",
    "validTo": "2022-10-27T23:59:59.000Z",
    "validFor": [
        "revoked.badssl.com"
    ]
}

First of all, thanks to all the people contributing to this project.

My case.

The domain is for exemple: sample.app

Date of the test: 2022-12-18T00:00:00.000Z

sample.app -> valid (nothing special)
dev.sample.app -> valid (I was excited)

Then came the need to add this :

container-87546.dev.sample.app -> not valid (it was too good to go on ...)

 {
  "daysRemaining": 290,
  "valid": false,
  "validFrom": "2022-10-03T00:00:00.000Z",
  "validTo": "2023-10-03T23:59:59.000Z",
  "validFor": [
    "*.sample.app",
    "sample.app"
  ]
} 

Normally, we should be able to check in validFor for domain starting with *. like in my case for *.sample.app and compare it with container-87546.dev[.sample.app] as long are dates are OK and let it pass as valid ... Right ?

Maybe, there is only IEwho does not support this, but who cares ?

This always returns a positive number for days_remaining, I changed this by changing line 25 to

let daysBetween = (from, to) =>Math.round((to - from)/8.64e7);

Current Date is subtracted from the expiry date so that the returned number is either days remaining before expiry or -ve number i.e. expired 100 days ago.

Hi, I am one of the maintainers at Monika, a synthetic monitoring tool. We have been using your library for while, and I have a problem:

So we are trying to check government websites' SSL certificates, but the library said that the certificates are invalid. But, when we opened the website, it shows a valid certificate (according to Chrome).

Here are the two websites that show invalid certs:

• https://www.tangerangselatankota.go.id
• https://www.kemendagri.go.id

I want to know exactly how did you check for the "certificate validity"?

I found where is the problem.

There is a function:

I use this function like this:

If you don't set port 443 - everything is OK. Setting a port to 443 give us extended information about ssl errors (e.g. "Host: is not in the cert's altnames:") But if you set port 443 function works correctly only one time, next time when I call this function it leads to the crash.

So I have a bunch of certificates which needs to be checked every once in a week if it is expired or not and give an notification prior to expiry.. so will this node package help to check expiry? Thanks. If not can you recommend any other package.

Latest Version is Not Working

index.js

var sslChecker = require("ssl-checker")
sslChecker("dyaa.me", { method: "GET", port: 443 }).then(console.info);

/home/groot/Santhosh/nodejs/ssl-expiry-reminder/test/index.js:2
sslChecker("dyaa.me", { method: "GET", port: 443 }).then(console.info);
^

TypeError: sslChecker is not a function
    at Object.<anonymous> (/home/groot/Santhosh/nodejs/ssl-expiry-reminder/test/index.js:2:1)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
    at startup (internal/bootstrap/node.js:283:19)
    at bootstrapNodeJSCore (internal/bootstrap/node.js:622:3)

Node Version - v10.16.3

I tried to use this lib in a NestJS application.
If I wanted to serve the application and fetch requests I hit the following exeption:

[Nest] 14096   - 20.06.2021, 13:15:03   [ExceptionsHandler] ssl_checker_1.default is not a function +110990ms
TypeError: ssl_checker_1.default is not a function
    at AppService.getSslDetails (D:\projects\ssl-check-dashboard\dist\app.service.js:14:43)
    at AppController.getSSLStatus (D:\projects\ssl-check-dashboard\dist\app.controller.js:20:38)
    at D:\projects\ssl-check-dashboard\node_modules\@nestjs\core\router\router-execution-context.js:38:29
    at InterceptorsConsumer.intercept (D:\projects\ssl-check-dashboard\node_modules\@nestjs\core\interceptors\interceptors-consumer.js:11:20)
    at D:\projects\ssl-check-dashboard\node_modules\@nestjs\core\router\router-execution-context.js:46:60
    at D:\projects\ssl-check-dashboard\node_modules\@nestjs\core\router\router-proxy.js:9:23
    at Layer.handle [as handle_request] (D:\projects\ssl-check-dashboard\node_modules\express\lib\router\layer.js:95:5)
    at next (D:\projects\ssl-check-dashboard\node_modules\express\lib\router\route.js:137:13)
    at Route.dispatch (D:\projects\ssl-check-dashboard\node_modules\express\lib\router\route.js:112:3)
    at Layer.handle [as handle_request] (D:\projects\ssl-check-dashboard\node_modules\express\lib\router\layer.js:95:5)

I googled a bit and found a workaround to get it up and running.
When I set "esModuleInterop": true in the tsconfig I was able to use the library.

{
    "compilerOptions": {
        ... ,
        "esModuleInterop": true
    }
}

But it seems to be an issue with the default export you did in the library.

May you could check and fix that. :)
Thank you.

OS: linux mint 20

Error log: Error: write EPROTO 21401778608328:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242: [1] [1] at WriteWrap.onWriteComplete [as oncomplete] (internal/stream_base_commons.js:87:16) { [1] errno: 'EPROTO', [1] code: 'EPROTO', [1] syscall: 'write' [1] }

I tried this: sslChecker("localhost", { method: "GET", port: 3500 })

In that port there is a React's istance

I expected an error about the certificate, no this.

[EDIT]

Response by Postman:

The ability to set the return format of the dates would be great.

Currently I am having to convert them after the return which is a little untidy:

return await sslChecker(domain)
    .then(res => {
        /** Make sure we return a valid date format for the frontend */
        res['valid_from'] = new Date(res.valid_from).toISOString();
        res['valid_to'] = new Date(res.valid_to).toISOString();
        return res;

I'm trying to use the ssl-checker package and I've noticed that it only works for hostnames without a resource point /. Examples below:

hostname: www.rust-lang.com

hostname: opensource.google/

I was wondering if there's another alternative to check if the SSL certificates are valid on hostnames that also include the resource path, thanks.

Hi,

How can I check the self-signed and valid SSL ?

Hello,

I've tried it following your instructions.

@2.0.4 works fine, however @2.0.5 gives the following error:

TypeError: sslChecker is not a function
at Object. (/workspace/myproject/app.js:324:1)
at Module._compile (internal/modules/cjs/loader.js:701:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:712:10)
at Module.load (internal/modules/cjs/loader.js:600:32)
at tryModuleLoad (internal/modules/cjs/loader.js:539:12)
at Function.Module._load (internal/modules/cjs/loader.js:531:3)
at Function.Module.runMain (internal/modules/cjs/loader.js:754:12)
at startup (internal/bootstrap/node.js:283:19)
at bootstrapNodeJSCore (internal/bootstrap/node.js:622:3)

Cheers.

Create new release 2.0.10 - for latest commit with updated feature: #539

Would it be possible to specify the actual public IP address of the the domain that ssl-checker should resolve to in the options?

The issue I am experiencing is that the domain is behind a cloudflare DNS server that has a different SSL certificate.
The server itself uses an internal certificate that is not being picked up because the domain resolves to the cloudflare DNS.

for example :
curl -v https://www.example.com
will resolve to the the IP address behind cloudflare and display the cloudflare SSL cert.

curl -v --resolve www.example.com:443:127.0.0.1 https://www.example.com
will bypass DNS lookup and check on the server itself (if the server was available on 127.0.0.1)

Example:
{
daysRemaining: 330,
valid: false,
validFrom: '2020-11-23T00:00:00.000Z',
validTo: '2021-11-23T23:59:59.000Z',
validFor: [ ... ]
}

Can you explain me about this problem?

On the first checking, everything was ok, I had this result:

But in the second check on the same resource (google.com, for example), I have this issue

Any suggestions?

Hi,

I´m wondering how I could use a proxy? Can someone provide me an example for this please?

Thanks a lot!

You are catching all the errors and log them to console. This wait, I can not catch the errors outside of your code through .catch() or using await in a try/catch block.

I get the idea of the check but it actually prevents a user from using Hostnames, that are valid.
For example german company "Märklin" has the domain märklin.de which is totally valid and has an SSL certificate but your regex does not allow it.
Also, there are a lot of other special characters which are allowed on certain hostnames but not in your regex making the package kind of useless.
After a small local test I'd remove the test completely since Node just threws ENOTFOUND if the host does not exist.

I don't know if anyone noticed, sending request to some-simple-test-domain.com which does not resolve will crash the app.

Problem is with req_1.on("error", reject) where reject isn't handled. The fix is below and it will still return response which then can be handled. And more important app will not crash

        // req_1.on("error", reject);
        // FIX
        req_1.on('error', function (err) {
            // Solution
            resolve({
                daysRemaining: 99999,
                valid: false,
                validFrom: 'ENONET',
                validTo: 'ENONET',
                validFor: [],
                rejectedFor: [host]
            });
        });
    

OS: linux mint 20

Error log: Error: write EPROTO 21401778608328:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242: [1] [1] at WriteWrap.onWriteComplete [as oncomplete] (internal/stream_base_commons.js:87:16) { [1] errno: 'EPROTO', [1] code: 'EPROTO', [1] syscall: 'write' [1] }

I tried this: sslChecker("localhost", { method: "GET", port: 3500 })

In that port there is a React's istance

I expected an error about the certificate, no this.

I'm using the default snippet in typescript

import sslChecker from "ssl-checker";

const getSslDetails = async hostname => await sslChecker("google.com");
console.log(getSslDetails);

There's a way to specify proxy for the request check?

@dyaa Thanks for providing this library!

The commit history shows some security patches. But the npm registry version seems a year old.

Could you update the npm registry so everyone can enjoy the latest security fixes? 😄

Currently, there is no error raised if the certificate does not match the requested hostname.