Certi is a python based SSL Transparency log monitoring tool that helps you keep tracking your issued certificates.
Certificate logs are append-only ledgers of certificates. Because they're distributed and independent, anyone can query them to see what certificates have been included and when. Because they're append-only, they are verifiable by Monitors. Organisations and individuals with the technical skills and capacity can run a log.
Thanks to CT, domain owners, browsers, academics, and other interested people can analyse and monitor logs. They’re able to see which CAs have issued which certificates, when, and for which domains.
- Monitor all your domains for certificate.
- Get alerts in many multiple communication channels thanks to apprise
- Manage your domains using REST API (swagger documentation included).
Certi is using sslmate search API. The free API account has the following limitations:
- 100 single-hostname queries / hour.
- 10 full-domain queries / hour.
- 75 queries / minute.
- 5 queries / second.
A single-hostname query is a query which returns certificates for a single specific hostname. (The include_subdomains parameter is false.)
A full-domain query is a query which returns certificates for all descendant sub-domains of the queried domain. (The include_subdomains parameter is true.)
The section identifies all of the services supported by this library. Check out the wiki for more information on the supported modules here.
The table below identifies the services this tool supports and some example service urls you need to use in order to take advantage of it. Click on any of the services listed below to get more details on how you can configure Apprise to access them.
| Notification Service | Service ID | Default Port | Example Syntax |
|---|---|---|---|
| Apprise API | apprise:// or apprises:// | (TCP) 80 or 443 | apprise://hostname/Token |
| AWS SES | ses:// | (TCP) 443 | ses://user@domain/AccessKeyID/AccessSecretKey/RegionName ses://user@domain/AccessKeyID/AccessSecretKey/RegionName/email1/email2/emailN |
| Boxcar | boxcar:// | (TCP) 443 | boxcar://hostname boxcar://hostname/@tag boxcar://hostname/device_token boxcar://hostname/device_token1/device_token2/device_tokenN boxcar://hostname/@tag/@tag2/device_token |
| Discord | discord:// | (TCP) 443 | discord://webhook_id/webhook_token discord://avatar@webhook_id/webhook_token |
| Emby | emby:// or embys:// | (TCP) 8096 | emby://user@hostname/ emby://user:password@hostname |
| Enigma2 | enigma2:// or enigma2s:// | (TCP) 80 or 443 | enigma2://hostname |
| Faast | faast:// | (TCP) 443 | faast://authorizationtoken |
| FCM | fcm:// | (TCP) 443 | fcm://project@apikey/DEVICE_ID fcm://project@apikey/#TOPIC fcm://project@apikey/DEVICE_ID1/#topic1/#topic2/DEVICE_ID2/ |
| Flock | flock:// | (TCP) 443 | flock://token flock://botname@token flock://app_token/u:userid flock://app_token/g:channel_id flock://app_token/u:userid/g:channel_id |
| Gitter | gitter:// | (TCP) 443 | gitter://token/room gitter://token/room1/room2/roomN |
| Google Chat | gchat:// | (TCP) 443 | gchat://workspace/key/token |
| Gotify | gotify:// or gotifys:// | (TCP) 80 or 443 | gotify://hostname/token gotifys://hostname/token?priority=high |
| Growl | growl:// | (UDP) 23053 | growl://hostname growl://hostname:portno growl://password@hostname growl://password@hostname:port Note: you can also use the get parameter version which can allow the growl request to behave using the older v1.x protocol. An example would look like: growl://hostname?version=1 |
| Home Assistant | hassio:// or hassios:// | (TCP) 8123 or 443 | hassio://hostname/accesstoken hassio://user@hostname/accesstoken hassio://user:password@hostname:port/accesstoken hassio://hostname/optional/path/accesstoken |
| IFTTT | ifttt:// | (TCP) 443 | ifttt://webhooksID/Event ifttt://webhooksID/Event1/Event2/EventN ifttt://webhooksID/Event1/?+Key=Value ifttt://webhooksID/Event1/?-Key=value1 |
| Join | join:// | (TCP) 443 | join://apikey/device join://apikey/device1/device2/deviceN/ join://apikey/group join://apikey/groupA/groupB/groupN join://apikey/DeviceA/groupA/groupN/DeviceN/ |
| KODI | kodi:// or kodis:// | (TCP) 8080 or 443 | kodi://hostname kodi://user@hostname kodi://user:password@hostname:port |
| Kumulos | kumulos:// | (TCP) 443 | kumulos://apikey/serverkey |
| LaMetric Time | lametric:// | (TCP) 443 | lametric://apikey@device_ipaddr lametric://apikey@hostname:port lametric://client_id@client_secret |
| Mailgun | mailgun:// | (TCP) 443 | mailgun://user@hostname/apikey mailgun://user@hostname/apikey/email mailgun://user@hostname/apikey/email1/email2/emailN mailgun://user@hostname/apikey/?name="From%20User" |
| Matrix | matrix:// or matrixs:// | (TCP) 80 or 443 | matrix://hostname matrix://user@hostname matrixs://user:pass@hostname:port/#room_alias matrixs://user:pass@hostname:port/!room_id matrixs://user:pass@hostname:port/#room_alias/!room_id/#room2 matrixs://token@hostname:port/?webhook=matrix matrix://user:token@hostname/?webhook=slack&format=markdown |
| Mattermost | mmost:// or mmosts:// | (TCP) 8065 | mmost://hostname/authkey mmost://hostname:80/authkey mmost://user@hostname:80/authkey mmost://hostname/authkey?channel=channel mmosts://hostname/authkey mmosts://user@hostname/authkey |
| Microsoft Teams | msteams:// | (TCP) 443 | msteams://TokenA/TokenB/TokenC/ |
| MQTT | mqtt:// or mqtts:// | (TCP) 1883 or 8883 | mqtt://hostname/topic mqtt://user@hostname/topic mqtts://user:pass@hostname:9883/topic |
| Nextcloud | ncloud:// or nclouds:// | (TCP) 80 or 443 | ncloud://adminuser:pass@host/User nclouds://adminuser:pass@host/User1/User2/UserN |
| NextcloudTalk | nctalk:// or nctalks:// | (TCP) 80 or 443 | nctalk://user:pass@host/RoomId nctalks://user:pass@host/RoomId1/RoomId2/RoomIdN |
| Notica | notica:// | (TCP) 443 | notica://Token/ |
| Notifico | notifico:// | (TCP) 443 | notifico://ProjectID/MessageHook/ |
| Office 365 | o365:// | (TCP) 443 | o365://TenantID:AccountEmail/ClientID/ClientSecret o365://TenantID:AccountEmail/ClientID/ClientSecret/TargetEmail o365://TenantID:AccountEmail/ClientID/ClientSecret/TargetEmail1/TargetEmail2/TargetEmailN |
| OneSignal | onesignal:// | (TCP) 443 | onesignal://AppID@APIKey/PlayerID onesignal://TemplateID:AppID@APIKey/UserID onesignal://AppID@APIKey/#IncludeSegment onesignal://AppID@APIKey/Email |
| Opsgenie | opsgenie:// | (TCP) 443 | opsgenie://APIKey opsgenie://APIKey/UserID opsgenie://APIKey/#Team opsgenie://APIKey/*Schedule opsgenie://APIKey/^Escalation |
| ParsePlatform | parsep:// or parseps:// | (TCP) 80 or 443 | parsep://AppID:MasterKey@Hostname parseps://AppID:MasterKey@Hostname |
| PopcornNotify | popcorn:// | (TCP) 443 | popcorn://ApiKey/ToPhoneNo popcorn://ApiKey/ToPhoneNo1/ToPhoneNo2/ToPhoneNoN/ popcorn://ApiKey/ToEmail popcorn://ApiKey/ToEmail1/ToEmail2/ToEmailN/ popcorn://ApiKey/ToPhoneNo1/ToEmail1/ToPhoneNoN/ToEmailN |
| Prowl | prowl:// | (TCP) 443 | prowl://apikey prowl://apikey/providerkey |
| PushBullet | pbul:// | (TCP) 443 | pbul://accesstoken pbul://accesstoken/#channel pbul://accesstoken/A_DEVICE_ID pbul://accesstoken/email@address.com pbul://accesstoken/#channel/#channel2/email@address.net/DEVICE |
| Pushjet | pjet:// or pjets:// | (TCP) 80 or 443 | pjet://hostname/secret pjet://hostname:port/secret pjets://secret@hostname/secret pjets://hostname:port/secret |
| Push (Techulus) | push:// | (TCP) 443 | push://apikey/ |
| Pushed | pushed:// | (TCP) 443 | pushed://appkey/appsecret/ pushed://appkey/appsecret/#ChannelAlias pushed://appkey/appsecret/#ChannelAlias1/#ChannelAlias2/#ChannelAliasN pushed://appkey/appsecret/@UserPushedID pushed://appkey/appsecret/@UserPushedID1/@UserPushedID2/@UserPushedIDN |
| Pushover | pover:// | (TCP) 443 | pover://user@token pover://user@token/DEVICE pover://user@token/DEVICE1/DEVICE2/DEVICEN Note: you must specify both your user_id and token |
| PushSafer | psafer:// or psafers:// | (TCP) 80 or 443 | psafer://privatekey psafers://privatekey/DEVICE psafer://privatekey/DEVICE1/DEVICE2/DEVICEN |
| reddit:// | (TCP) 443 | reddit://user:password@app_id/app_secret/subreddit reddit://user:password@app_id/app_secret/sub1/sub2/subN |
|
| Rocket.Chat | rocket:// or rockets:// | (TCP) 80 or 443 | rocket://user:password@hostname/RoomID/Channel rockets://user:password@hostname:443/#Channel1/#Channel1/RoomID rocket://user:password@hostname/#Channel rocket://webhook@hostname rockets://webhook@hostname/@User/#Channel |
| Ryver | ryver:// | (TCP) 443 | ryver://Organization/Token ryver://botname@Organization/Token |
| SendGrid | sendgrid:// | (TCP) 443 | sendgrid://APIToken:FromEmail/ sendgrid://APIToken:FromEmail/ToEmail sendgrid://APIToken:FromEmail/ToEmail1/ToEmail2/ToEmailN/ |
| ServerChan | serverchan:// | (TCP) 443 | serverchan://token/ |
| SimplePush | spush:// | (TCP) 443 | spush://apikey spush://salt:password@apikey spush://apikey?event=Apprise |
| Slack | slack:// | (TCP) 443 | slack://TokenA/TokenB/TokenC/ slack://TokenA/TokenB/TokenC/Channel slack://botname@TokenA/TokenB/TokenC/Channel slack://user@TokenA/TokenB/TokenC/Channel1/Channel2/ChannelN |
| SMTP2Go | smtp2go:// | (TCP) 443 | smtp2go://user@hostname/apikey smtp2go://user@hostname/apikey/email smtp2go://user@hostname/apikey/email1/email2/emailN smtp2go://user@hostname/apikey/?name="From%20User" |
| Streamlabs | strmlabs:// | (TCP) 443 | strmlabs://AccessToken/ strmlabs://AccessToken/?name=name&identifier=identifier&amount=0¤cy=USD |
| SparkPost | sparkpost:// | (TCP) 443 | sparkpost://user@hostname/apikey sparkpost://user@hostname/apikey/email sparkpost://user@hostname/apikey/email1/email2/emailN sparkpost://user@hostname/apikey/?name="From%20User" |
| Spontit | spontit:// | (TCP) 443 | spontit://UserID@APIKey/ spontit://UserID@APIKey/Channel spontit://UserID@APIKey/Channel1/Channel2/ChannelN |
| Syslog | syslog:// | (UDP) 514 (if hostname specified) | syslog:// syslog://Facility syslog://hostname syslog://hostname/Facility |
| Telegram | tgram:// | (TCP) 443 | tgram://bottoken/ChatID tgram://bottoken/ChatID1/ChatID2/ChatIDN |
| twitter:// | (TCP) 443 | twitter://CKey/CSecret/AKey/ASecret twitter://user@CKey/CSecret/AKey/ASecret twitter://CKey/CSecret/AKey/ASecret/User1/User2/User2 twitter://CKey/CSecret/AKey/ASecret?mode=tweet |
|
| Twist | twist:// | (TCP) 443 | twist://pasword:login twist://password:login/#channel twist://password:login/#team:channel twist://password:login/#team:channel1/channel2/#team3:channel |
| XBMC | xbmc:// or xbmcs:// | (TCP) 8080 or 443 | xbmc://hostname xbmc://user@hostname xbmc://user:password@hostname:port |
| XMPP | xmpp:// or xmpps:// | (TCP) 5222 or 5223 | xmpp://user:password@hostname xmpps://user:password@hostname:port?jid=user@hostname/resource xmpps://user:password@hostname/target@myhost, target2@myhost/resource |
| Webex Teams (Cisco) | wxteams:// | (TCP) 443 | wxteams://Token |
| Zulip Chat | zulip:// | (TCP) 443 | zulip://botname@Organization/Token zulip://botname@Organization/Token/Stream zulip://botname@Organization/Token/Email |
Certi is a docker based application that can be installed using docker compose:
version: "3.6"
services:
certi:
image: techblog/certi
container_name: certi
restart: always
ports:
- "8081:8081"
environment:
- API_KEY=
- SLEEP_TIME=
- NOTIFIERS=
- LOG_LEVEL=
volumes:
- ./data:/opt/certi/db
- API_KEY - API key for sslmate search API.
- SLEEP_TIME - Time between scans (Default is 7200, which is 2 hours) - To prevent exceeding the search API limits.
- NOTIFIERS - List of Supported Notifications
- LOG_LEVEL - Optional valuse are: DEBUG (default), INFO, ERROR
In order to prevent data loss, it's recomended to mount a volume for the application Database. "/opt/certi/db" is the path inside the container where the sqlite db is located. it will be created automatically upon application startup.
Certi has a managment api for the domains and certificates. by default the port is set to 8081.
Certi has a small REST API endpoint created for easy managment. by default the port is set to to 8081. Swagger documentation can be accessed by adding "/docs" to the end of the url [http://docker:8081/docs].
The api have the following endpoints:
- domains/get (HTTP GET)- Get list of all monitored domains.
- domains/add/{DomainName} (HTTP PUT) - Add domain to monitored domains list.
- domains/delete/{DomainId} (HTTP DELETE) - Delete domain from the monitored domains list.
- /domains/active/{DomainId}/{state} (HTTP POST) - Set domain status to Active/InActive.
- /certificates/get (HTTP GET) - Get list off all certicicates that the Certi found.
